Penetration Testing mailing list archives
RE: fwop: win32 tcp port proxy tool
From: "Hazel, Scott A." <Scott.Hazel () unisys com>
Date: Wed, 11 Jan 2006 01:38:28 -0500
Hello Amin. I'm not a pen-tester but how does this utility differ from netcat? From the examples in the readme, they seem to do much of the same thing. Thanks. Scott Hazel -----Original Message----- From: Amin Tora [mailto:amintora () gmail com] Sent: Tuesday, January 10, 2006 8:24 PM To: pen-test () securityfocus com Subject: fwop: win32 tcp port proxy tool I wanted to share a utility I wrote a while back for win32 based platforms. I've used it off and on during pen testing. And wanted some feedback. This version I'm making publicly available retains the payload in clear without encoding or encryption ... later releases may include encoding - i.e. protocol tunneling/cloaking' as well as encryption {HTTPS,SSH,etc.} It's available at: http://www.int0x21.com/projects.html Below is the readme for the tool. ----------------------=[ 0x01 Introduction ]=----------------------- fwop is a multi-threaded console application written in C for win-32 based platforms. It relies on Microsoft winsock DLL version 2 which comes with Windows operating systems. It allows the user to relay or 'proxy' any TCP based communications between processes on the local system or on remote systems. ----------------------=[ 0x02 Uses ]=----------------------- ---tcp port proxying--- fwop can be used to proxy TCP connections over different ports when there is a firewall or access list disallowing communications over default ports. Let's say you would like to run Microsoft remote desktop through a firewall or router [fw] with access lists that blocks such traffic. In a normal remote desktop connection, a client would allocate a random high tcp port (>1023} and use that port to connect to the server's tcp port 3389, like so: [client](1234)---------->(3389)[server] Now, let's say you have a router or firewall that blocks traffic destined to port tcp 3389 and does not allow you to make such a connection: [client](1234)-------->x[FW].......(3389)[server] But let's say that the firewall allows tcp port 80 (http) traffic outbound from the server side. If so, you can use fwop on both endpoints and relay the traffic over port tcp:80. (rdpclient)--->[fwop]<----------[fwop]---->(rdpserver) In this scenario, fwop on the client listens on two ports. fwop on the server makes a connection to the rdp server and initiates a connection over port 80 to fwop on the client. The rdp client software establishes a connection to fwop on the client. The connection is tunneled between the client and server. This is how you'd use fwop to perform this: a. on [client]{ip:10.1.1.5} run fwop to listen on two available ports like 4444 and 80 like so: fwop 4444 80 b. on [server]{ip:10.2.2.5} run fwop to connect to the local rdp server (tcp:3389) and connect to fwop running on the client over tcp:80 like so: fwop 127.0.0.1:3389 10.2.2.5:80 c. on [client] run the rdp client software and connect to localhost (127.0.0.1) on tcp port that fwop is listening on {in our case tcp:4444}. The following depicts this setup: [client] [server] [rdpc]-->(4444)[fwop](80)<----[fw]----(highport)[fwop](highport)--->(338 9)[rdps] In this scenario, the firewall only allows tcp:80 outbound from the server side. By using fwop, we've bypassed the firewall and established a direct connection from outside the firewall to the server on port 3389 by tunneling the traffic via a connection initiated by the server. This of course requires some other control vector on the server side that you can manipulate. ---attack proxying--- Replace client above with metasploit attack tool [http://www.metasploit.com/]... you get the picture... And the remote system does not have to be the same host - it could be another host inside the network behind the firewall. ;) ---network ips testing--- You can also use fwop to test your ips configuration to see if it can detect anomalies in the communications. For example, normal telnet traffic should not have a large amount of data. Also, the IPS should detect that traffic on specific ports should match protocol specifications {i.e. HTTP, SSH, HTTPS/SSL/TLS, DNS, etc.... re: anomaly detection... ----------------------=[ 0x03 Known Limitations]=----------------------- 1. Host based IPS systems may block fwop as it relies on winsock DLL. 2. Traffic tunneled is left entact without any form of 'cloaking'. Therefore smarter firewalls and network based ips systems may detect, alert and/or prohibit the traffic. ----------------------=[ 0x04 Final Notes ]=----------------------- 1. If you use fwop in your applications please let me know. 2. Next release of fwop will have ability to cloack traffic based on the well known ports and behave as a client/server conforming to protocol specificatoins to bypass network based IDS/IPS and firewalls with content aware intelligence. -- Amin Tora http://www.int0x21.com ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- fwop: win32 tcp port proxy tool Amin Tora (Jan 10)
- <Possible follow-ups>
- RE: fwop: win32 tcp port proxy tool Hazel, Scott A. (Jan 10)
- Re: fwop: win32 tcp port proxy tool Amin Tora (Jan 11)