Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Win2K & XP IPSEC Filtering bypass

From: "Adam Tuliper" <amt () gecko-software com>
Date: Thu, 20 May 2004 15:45:08 -0400
This trick is pretty old and can be disabled.
see
http://support.microsoft.com/default.aspx?scid=kb;en-us;811832


On Wed, 19 May 2004 22:48:26 +0100
 "JJ Gray" <jj () irmplc com> wrote:

Hi folks,
    As a result of a recent engagement looking at Windows
host hardening, I
came across this little trick and thought it might be
useful at some point.
The Microsoft IPSEC filters used by Windows 2000 & XP can
be bypassed by
choosing a source port of 88 (Kerberos).

First off, Microsoft themselves state that IPSEC filters
are not designed as
a full featured host based firewall [1] and it is already
known that certain
types of traffic are exempt from IPSEC filters [2] and
they can be
summarised as:

* Broadcast
* Multicast
* RSVP
* IKE
* Kerberos

In a Microsoft support note [2] there is the line:
"The Kerberos exemption is basically this: If a packet is
TCP or UDP and has
a source or destination port = 88, permit."

The test host here has a "block all" rule created using:

ipsecpol.exe -x -w REG -p "The Black Knight" -r
"NoneShallPass" -n BLOCK -f
0=*::*

Normal Nmap scan:

# nmap -sS -v -v -P0 --initial_rtt_timeout 10
--max_rtt_timeout 20
172.25.0.14

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at
2004-05-19 18:14 BST
Host 172.25.0.14 appears to be up ... good.
Initiating SYN Stealth Scan against 172.25.0.14 at 18:14
The SYN Stealth Scan took 7 seconds to scan 1659 ports.
Interesting ports on 172.25.0.14:
(The 1658 ports scanned but not shown below are in state:
filtered)
PORT   STATE  SERVICE
88/tcp closed kerberos-sec

Nmap run completed -- 1 IP address (1 host up) scanned in
7.017 seconds

Port 88 closed is the hint, Nmap again using this source
port:

# nmap -sS -v -v -P0 -g 88 --initial_rtt_timeout 10
--max_rtt_timeout 20
172.25.0.14

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at
2004-05-19 18:14 BST
Host 172.25.0.14 appears to be up ... good.
Initiating SYN Stealth Scan against 172.25.0.14 at 18:14
Adding open port 445/tcp
Adding open port 135/tcp
Adding open port 139/tcp
Adding open port 1433/tcp
Adding open port 1027/tcp
Adding open port 1025/tcp
The SYN Stealth Scan took 0 seconds to scan 1659 ports.
Interesting ports on 172.25.0.14:
(The 1653 ports scanned but not shown below are in state:
closed)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1027/tcp open  IIS
1433/tcp open  ms-sql-s

Nmap run completed -- 1 IP address (1 host up) scanned in
0.367 seconds

As can be seen, the IPSEC filters are bypassed.
  Although not designed as a
host based firewall, IPSEC filters are being used as
such, particularly to
block popular attacked ports such as NETBIOS, CIFS and
SQL, perhaps as
[temporary] worm mitigation.

In Windows 2003 all of these default exemptions have been
removed with the
exception of IKE [1] and I believe that this may be
incorporated into
earlier Windows versions at some point.

Cheers,
            JJ


[1]


http://support.microsoft.com/default.aspx?scid=kb;EN-US;810207

[2]


http://support.microsoft.com/default.aspx?scid=kb;EN-US;253169




---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/
Previous By Date Next
Previous By Thread Next

Current thread: