Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Another firewall bypassing nuisance
Posted by: periqueador
Date: July 08, 2008 12:02AM

Hey guys :) i'm kinda new to this forum and I'd like to see if someone can enlighten me on a little issue im having.

So, theres a webserver running on port 80, behind a firewall, this firewall does not let the webserver access the internet UNLESS I have initiated a connection.

(Request Diagram)
[Me:1234] {request}-> *internet* {request}-> [firewall] {request}-> webserver:80

(Response Diagram)

*[Firewall Rule]
*[Did opened from port 1234 a request on webserver:80previously?]

webserver:80 response-> [Firewall Rule] YES {FORWARD}-> *internet* ->response [Me:1234]
/////////////////////////////////////// NO -> [Drop packet]

Sorry for the lame diagram heh, so, the only visible port from the outside is port 80, is there any way to increase the connectivity to the target LAN?

I've seen a few examples like php-findsock-shell: http://pentestmonkey.net/tools/php-findsock-shell/ -- thought this app only works on php/linux AND the target server is running Windows/Coldfusion.

What is the best approach on this situation? I've seen also other methods like process doubling, discussed on: http://ha.ckers.org/blog/20080127/process-doubling/ thought I couldnt find any real life implementation.

Browsing through the forum I also found some discussions that mentioned setting up PPTP on the webserver, is this also possible on a Coldfusion server? And would this raise any flags?

Options: ReplyQuote
Re: Another firewall bypassing nuisance
Posted by: id
Date: July 08, 2008 02:04AM

I think you're confused about how TCP works with firewalls.

You send a SYN packet from source port 1234 to port 80
Firewall doesn't care what source port (probably), but rule says let a SYN packet pass in on port 80 to that server
Server responds with a SYN-ACK packet which is allowed through the firewall, but possibly for different reasons.
1. pass all/any rule outbound
2. pass only established packets (SYN-ACK) outbound
3. pass only packets outbound that match state based on the initial packet that came in.

So you can possibly get a shell to connect back out to you depending on the firewall's configuration.

The shell on pentestmonkey sits at port 80, so the firewall (assuming it isn't a WAF or working with an IPS/HIDS) won't do anything to block it.

If there is a IPS/HIDS/HIPS/whatfuckinever you can probably change the name of the shell and it won't catch it, yeah, they're usually that fucking lame.

Setting up PPTP also relies on the firewall being configured wrong, but hey, it probably is.

99% of the time no one is going to catch you doing shit, and if you're not dumb enough to attack from your own IP, who cares if they do? hit them from another source.


Options: ReplyQuote
Re: Another firewall bypassing nuisance
Posted by: MAdhaTTer-240
Date: July 09, 2008 10:48AM

So, as far as ways to get something more then html/asp from the webserver the only things I can think of are....

-- Attack the HTTP service, exploit it, and make the Web Server connect to you (what are the odds they have egress filtering on the firewall)
-- Attack the firewall it self, old and unpatched ios, no reverse path filtering, what ever
-- Lastely, well thats all that comes to mind.

Anyone else see something I missed?

Options: ReplyQuote
Re: Another firewall bypassing nuisance
Posted by: id
Date: July 09, 2008 02:14PM

Well if you're talking about general exploitation to get on a box then there are tons of "other things" you can do.

For the case with a correctly configured/non-exploitable firewall, with a staff immune to social engineering and no other services that can be exploited, then the pentestmonkey (or similar port 80 intercept shell) is probably your best bet!

yay for hypothetical situations.


Options: ReplyQuote
Re: Another firewall bypassing nuisance
Posted by: MAdhaTTer-240
Date: July 09, 2008 03:09PM

I was referring only to circumventing firewalls. Did I miss something other then exploiting poor firewall rules? What is the deal with the pentestmonkey shell thing?

I am guessing it is this http://pentestmonkey.net/tools/php-findsock-shell/
Thanks for the tip :)

Options: ReplyQuote

Sorry, only registered users may post in this forum.