I’ve been experimenting with bypassing firewalls today, based on results from this Nessus plugin.

Essentially its down to misconfiguring a firewall to allow access based only on the source port. This way we can send packets to other destination ports through the firewall.

I’ve managed to exploit it on Linux by setting up these weak iptables rules:

iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT

I also managed to exploit it on Cisco IOS using these weak ACL rules:

permit udp any eq domain any range 1 65535
 permit tcp any eq domain any range 1 65535

You then just use nmap with a modified source port flag pointing to udp/53, in this case connecting to SNMP port udp/161 which is normally filtered on the firewall:

nmap -sU --reason -v -n -PN -p161 target.ip.address -g53
161/udp open  snmp    udp-response

The fix is to check source port and limit the destination ports to privileged ones (and vice versa for OUTPUT) and also limit the IP’s that are allowed to connect, you could even disable DNS-over-TCP and still be able to make DNS lookups. Something like:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p udp -s dns.server.ip --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp -d dns.server.ip --dport 53 --sport 1024:65535 -j ACCEPT

You could go further and limit the network interface and check the source/destination IP matches your local IP, enable the state machine and only allow new connections etc. In IOS the fix would be something like:

permit udp dns.server.ip eq 53 local.ip gt 1023

In other news, my car has gone back to the dealership today to be repaired, I’ve currently got their C4 Grand Picasso, which is a manual and the 5-speed gearbox sounds like it needs another gear to go up to. Hopefully my car will be back by Wednesday.

My loft has been boarded out, its surprising how many struts are up there keeping the roof up, a lot of the storage space is hard to get to, so I’ve put stuff I wouldn’t need to get to very often there.

Gonna be Friday night drink and a movie tonight I think.