Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions

["Loschiavo, Dave" <DLoschiavo () FRCC CC CA US>]

How's this for an attack scenario...

Since the firewall is not blocking any outbound traffic (bad move) I would
make an effort to acquire the email addresses of internal users. That
shouldn't be too hard to do if they do business with anyone. Once I had that
I would send HTML email to those addresses and try to exploit this 'feature'
of Windows: http://www.oamk.fi/~jukkao/bugtraq/0003/0171.html. I would then
crack the passwords for the accounts that viewed the email and try to logon
to listening services using those accounts and passwords.

Assumptions:
1. I am able to find a valid email address.
2. HTML mail is not cleaned before it reaches the user.
3. The email client does HTML mail.
4. The email client is residing on a MS OS.
5. The users who read the email have authenticated to an NT domain.
6. The users who read the email have the ability to log on to the listening
services I am trying to access via open firewall ports.

Any comments regarding this method of attack would be greatly appreciated. I
am new to the process of penetration testing.

-dave

-----Original Message-----
From: Leon Rosenstein
To: PEN-TEST () SECURITYFOCUS COM
Sent: 9/27/00 8:27 AM
Subject: [PEN-TEST] NAT / Stateful Packet Inspection Questions

Hi everyone.  This is the first time I am posting to this list so please
don't flame me if the question sounds insane or is out-of-line.  If you
feel
forced to flame me at least have enough respect do it in private.  I am
just
curious and seeking knowledge.

I would like to set up a scenario and see what the group thinks.

I was trying to help my friend audit his network through a penetration
test.
I found the firewall impenetrable (at least by me, which does not really
say
that much) (insert joke about newbies here).

The network has no remote access points (it does not have a VPN or any
Dial-Up Servers).  It has only a sever, router, & firewall.

The firewall is doing both NAT and Stateful Packet Inspection (SPI from
here
on in).  There are no rules with the exception of the default (anything
going out can go out but nothing can come in unless the firewall has
cached
or is aware of the potential incoming connection).  If the connection
comes
back in on a different port then the firewall expects (assumes) it will
drop
the connection.

Is there anyway to circumvent this firewall (or any firewalls that
employ
NAT and SPI as there primary defense mechanisms?)  Is there anyway to
get
direct access to the server?  I have port scanned the router and found
listening ports and remote administration software but I am curious as
to
how one could circumvent the firewall (if this is done through hijacking
the
router I would be curious about that also).

I know very talented people in the industry read this list so any help
would
be much appreciated.

Oh and please feel free to respond on list or off.

Thanks in advance

Leon