[NSE] firewall-bypass.nse

[Hani Benhabiles <kroosec () gmail com>]

Hi list,

description = [[
Exploits a vulnerability in netfilter and other firewalls that use 
helpers to dynamically open ports for protocols such as ftp and sip.

The script works by spoofing a packet from the target server asking for 
opening a related connection to a target port which will be
fulfilled by the firewall through the adequate protocol helper port. The 
attacking machine should be on the same network segment as the
firewall for this to work. The script supports ftp helper on both IPv4 
and IPv6. Real path filter is used to prevent such attacks.

Based on work done by Eric Leblond.

For more information, see:
    * 
http://home.regit.org/2012/03/playing-with-network-layers-to-bypass-firewalls-filtering-policy/
]]

---
-- @args firewall-bypass.helper The helper to use. Defaults to 
<code>ftp</code>.
-- Supported helpers: ftp (Both IPv4 and IPv6).
--
-- @args firewall-bypass.helperport If not using the helper's default port.
--
-- @args firewall-bypass.targetport Port to test vulnerability on. 
Target port should be a
-- non-open port. If not given, the script will try to find a filtered 
or closed port from
-- the port scan results.
--
-- @usage
-- nmap --script firewall-bypass <target>
-- nmap --script firewall-bypass --script-args 
firewall-bypass.helper="ftp", firewall-bypass.targetport=22 <target>
--
-- @output
-- Host script results:
-- | firewall-bypass:
-- |_  Firewall vulnerable to bypass through ftp helper. (IPv4)

Again, I would like to thank Eric Leblond for his work and help on some 
issues I had.

Cheers,
Hani.

--
Hani Benhabiles

Twitter: https://twitter.com/#!/kroosec
Blog: http://kroosec.blogspot.com

Attachment: firewall-bypass.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/