From: Amin Tora (amintora@gmail.com)
Date: Wed Jan 11 2006 - 17:02:41 EST
Yes, it's very similar to netcat - but there's some differences -
[correct me if I'm wrong here]:
-netcat does not listen on two simultaneous ports at the same time
[without having to run two seperate instances of netcat]
-netcat does not proxy inherently without outputing from two seperate
netcat processes to a FIFO file...
On 1/11/06, Hazel, Scott A. <Scott.Hazel@unisys.com> wrote:
> Hello Amin.
>
> I'm not a pen-tester but how does this utility differ from netcat? From
> the examples in the readme, they seem to do much of the same thing.
> Thanks.
>
> Scott Hazel
>
>
> -----Original Message-----
> From: Amin Tora [mailto:amintora@gmail.com]
> Sent: Tuesday, January 10, 2006 8:24 PM
> To: pen-test@securityfocus.com
> Subject: fwop: win32 tcp port proxy tool
>
> I wanted to share a utility I wrote a while back for win32 based
> platforms. I've used it off and on during pen testing. And wanted some
> feedback.
>
> This version I'm making publicly available retains the payload in clear
> without encoding or encryption ... later releases may include encoding
> - i.e. protocol tunneling/cloaking' as well as encryption
> {HTTPS,SSH,etc.}
>
> It's available at: http://www.int0x21.com/projects.html
>
> Below is the readme for the tool.
>
> ----------------------=[ 0x01 Introduction ]=-----------------------
>
> fwop is a multi-threaded console application written in C for win-32
> based platforms. It relies on Microsoft winsock DLL version 2 which
> comes with Windows operating systems. It allows the user to relay or
> 'proxy' any TCP based communications between processes on the local
> system or on remote systems.
>
>
> ----------------------=[ 0x02 Uses ]=-----------------------
>
> ---tcp port proxying---
>
> fwop can be used to proxy TCP connections over different ports when
> there is a firewall or access list disallowing communications over
> default ports. Let's say you would like to run Microsoft remote desktop
> through a firewall or router [fw] with access lists that blocks such
> traffic.
>
> In a normal remote desktop connection, a client would allocate a random
> high tcp port (>1023} and use that port to connect to the server's tcp
> port 3389, like so:
>
> [client](1234)---------->(3389)[server]
>
> Now, let's say you have a router or firewall that blocks traffic
> destined to port tcp 3389 and does not allow you to make such a
> connection:
>
> [client](1234)-------->x[FW].......(3389)[server]
>
> But let's say that the firewall allows tcp port 80 (http) traffic
> outbound from the server side. If so, you can use fwop on both endpoints
> and relay the traffic over port tcp:80.
>
> (rdpclient)--->[fwop]<----------[fwop]---->(rdpserver)
>
> In this scenario, fwop on the client listens on two ports. fwop on the
> server makes a connection to the rdp server and initiates a connection
> over port 80 to fwop on the client. The rdp client software establishes
> a connection to fwop on the client. The connection is tunneled between
> the client and server.
> This is how you'd use fwop to perform this:
>
> a. on [client]{ip:10.1.1.5}
> run fwop to listen on two available ports like 4444 and 80 like so:
>
> fwop 4444 80
>
> b. on [server]{ip:10.2.2.5}
> run fwop to connect to the local rdp server (tcp:3389) and connect
> to fwop
> running on the client over tcp:80 like so:
>
> fwop 127.0.0.1:3389 10.2.2.5:80
>
> c. on [client]
> run the rdp client software and connect to localhost (127.0.0.1) on
> tcp port
> that fwop is listening on {in our case tcp:4444}.
>
> The following depicts this setup:
>
> [client] [server]
> [rdpc]-->(4444)[fwop](80)<----[fw]----(highport)[fwop](highport)--->(338
> 9)[rdps]
>
>
> In this scenario, the firewall only allows tcp:80 outbound from the
> server side.
> By using fwop, we've bypassed the firewall and established a direct
> connection from outside the firewall to the server on port 3389 by
> tunneling the traffic via a connection initiated by the server.
>
> This of course requires some other control vector on the server side
> that you can manipulate.
>
> ---attack proxying---
>
> Replace client above with metasploit attack tool
> [http://www.metasploit.com/]... you get the picture...
>
> And the remote system does not have to be the same host - it could be
> another host inside the network behind the firewall. ;)
>
> ---network ips testing---
>
> You can also use fwop to test your ips configuration to see if it can
> detect anomalies in the communications. For example, normal telnet
> traffic should not have a large amount of data. Also, the IPS should
> detect that traffic on specific ports should match protocol
> specifications {i.e. HTTP, SSH, HTTPS/SSL/TLS, DNS, etc.... re: anomaly
> detection...
>
>
> ----------------------=[ 0x03 Known Limitations]=-----------------------
>
> 1. Host based IPS systems may block fwop as it relies on winsock DLL.
>
> 2. Traffic tunneled is left entact without any form of 'cloaking'.
> Therefore
> smarter firewalls and network based ips systems may detect, alert
> and/or
> prohibit the traffic.
>
> ----------------------=[ 0x04 Final Notes
> ]=-----------------------
>
> 1. If you use fwop in your applications please let me know.
>
> 2. Next release of fwop will have ability to cloack traffic based on the
> well known ports and behave as a client/server conforming to protocol
> specificatoins to bypass network based IDS/IPS and firewalls with
> content aware intelligence.
>
>
> --
> Amin Tora
> http://www.int0x21.com
>
> ------------------------------------------------------------------------
> ------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on
> your website. Up to 75% of cyber attacks are launched on shopping carts,
> forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers are futile against web application hacking. Check your website
> for vulnerabilities to SQL injection, Cross site scripting and other web
> attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ------------------------------------------------------------------------
> -------
>
>
-- Amin Tora http://www.int0x21.com ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:21 EDT