From: Amin Tora (amintora@gmail.com)
Date: Tue Jan 10 2006 - 20:24:14 EST
I wanted to share a utility I wrote a while back for win32 based
platforms. I've used it off and on during pen testing. And wanted
some feedback.
This version I'm making publicly available retains the payload in
clear without encoding or encryption ... later releases may include
encoding - i.e. protocol tunneling/cloaking' as well as encryption
{HTTPS,SSH,etc.}
It's available at: http://www.int0x21.com/projects.html
Below is the readme for the tool.
----------------------=[ 0x01 Introduction ]=-----------------------
fwop is a multi-threaded console application written in C for win-32
based platforms. It relies on Microsoft winsock DLL version 2 which
comes with Windows operating systems. It allows the user to relay or
'proxy' any TCP based communications between processes on the local
system or on remote systems.
----------------------=[ 0x02 Uses ]=-----------------------
---tcp port proxying---
fwop can be used to proxy TCP connections over different ports when
there is a firewall or access list disallowing communications over
default ports. Let's say you would like to run Microsoft remote desktop
through a firewall or router [fw] with access lists that blocks such traffic.
In a normal remote desktop connection, a client would allocate a random
high tcp port (>1023} and use that port to connect to the server's tcp
port 3389, like so:
[client](1234)---------->(3389)[server]
Now, let's say you have a router or firewall that blocks traffic destined
to port tcp 3389 and does not allow you to make such a connection:
[client](1234)-------->x[FW].......(3389)[server]
But let's say that the firewall allows tcp port 80 (http) traffic outbound
from the server side. If so, you can use fwop on both endpoints and relay
the traffic over port tcp:80.
(rdpclient)--->[fwop]<----------[fwop]---->(rdpserver)
In this scenario, fwop on the client listens on two ports. fwop on the server
makes a connection to the rdp server and initiates a connection over port 80
to fwop on the client. The rdp client software establishes a connection to fwop
on the client. The connection is tunneled between the client and server.
This is how you'd use fwop to perform this:
a. on [client]{ip:10.1.1.5}
run fwop to listen on two available ports like 4444 and 80 like so:
fwop 4444 80
b. on [server]{ip:10.2.2.5}
run fwop to connect to the local rdp server (tcp:3389) and connect to fwop
running on the client over tcp:80 like so:
fwop 127.0.0.1:3389 10.2.2.5:80
c. on [client]
run the rdp client software and connect to localhost (127.0.0.1) on tcp port
that fwop is listening on {in our case tcp:4444}.
The following depicts this setup:
[client] [server]
[rdpc]-->(4444)[fwop](80)<----[fw]----(highport)[fwop](highport)--->(3389)[rdps]
In this scenario, the firewall only allows tcp:80 outbound from the server side.
By using fwop, we've bypassed the firewall and established a direct connection
from outside the firewall to the server on port 3389 by tunneling the
traffic via
a connection initiated by the server.
This of course requires some other control vector on the server side
that you can
manipulate.
---attack proxying---
Replace client above with metasploit attack tool
[http://www.metasploit.com/]... you get the picture...
And the remote system does not have to be the same host - it could be
another host inside the network behind the firewall. ;)
---network ips testing---
You can also use fwop to test your ips configuration to see if it can detect
anomalies in the communications. For example, normal telnet traffic should not
have a large amount of data. Also, the IPS should detect that traffic
on specific
ports should match protocol specifications {i.e. HTTP, SSH,
HTTPS/SSL/TLS, DNS, etc.... re: anomaly detection...
----------------------=[ 0x03 Known Limitations]=-----------------------
1. Host based IPS systems may block fwop as it relies on winsock DLL.
2. Traffic tunneled is left entact without any form of 'cloaking'. Therefore
smarter firewalls and network based ips systems may detect, alert and/or
prohibit the traffic.
----------------------=[ 0x04 Final Notes ]=-----------------------
1. If you use fwop in your applications please let me know.
2. Next release of fwop will have ability to cloack traffic based on the well
known ports and behave as a client/server conforming to protocol specificatoins
to bypass network based IDS/IPS and firewalls with content aware intelligence.
-- Amin Tora http://www.int0x21.com ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:20 EDT