Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Firewall hole punching
Posted by: jungsonn
Date: December 19, 2006 12:55PM

http://www.heise-security.co.uk/articles/82481/0
(a trillian example)

Does anyone already tried something like this but then on TCP level?
if so i like to hear about it,

gonna be interesting if this can be done in a practical way.

Options: ReplyQuote
Re: Firewall hole punching
Posted by: rsnake
Date: December 19, 2006 03:44PM

I've seen things like this before yah. The craziest version was actually TCP/IP over HTTP. Everything allows HTTP (and big files at that). As long as the two way connection is relatively quick there's no reason you can't tunnel TCP/IP over HTTP.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Firewall hole punching
Posted by: jungsonn
Date: December 20, 2006 02:17AM

Exactly, it's interesting to see how trillian sifts over the incomming ports and then punching a hole to the other client, dispite the firewall.

Options: ReplyQuote
Re: Firewall hole punching
Posted by: id
Date: December 20, 2006 04:06AM

Only a broken firewall implementation would allow this using TCP. ICMP on the other hand could get away with it (and has been used as a covert channel to bypass firewalls for years).

Also a properly configured firewall that wanted to stop this type of traffic using UDP could as well. Of course most firewalls aren't configured worth a shit, so yeah...

-id

Options: ReplyQuote
Re: Firewall hole punching
Posted by: ntp
Date: December 23, 2006 07:55PM

firewall hole punching works in a large variety of cases. it's almost like magic, but really it's just simple UDP crosstalk. firewalls that do not maintain state also create serious holes such as TCP ACK server listeners. this is all just TCP/IP weirdness due to the adoption of a firewall and NAT in a world where they doesn't belong.

i do have open questions about firewall hole punching.

if either NAT box (the near-end and far-end) does random changing of outgoing ports (ala OpenBSD's pf), how does this change the ability to do firewall hole punching?

Samy claims this is possible (even though his existing code doesn't support it). Yes, this is the same samy of myspace worm fame.
http://samy.pl/chownat/

He also claims that he can do full client/server (with no 3rd party) without the server knowing the client beforehand. Again, no code yet - but he claims this is possible. Anyone have any idea how? He must be using a 3rd party for this... right?

finally, let's pretend the firewall blocks all outgoing UDP. A local DNS server pair provides DNS (through DNS forwarding), but each server has a secondary NIC to a separate firewall and does not have IP forwarding turned on. ICMP is also not allowed. Is TCP hole punching the only valid method for most firewalls (assume Check Point Firewall-1, OpenBSD pf, and/or Linux Netfilter)? Or is another IP protocol possible to get through the firewall (assuming regular default policies)? I dunno about IPv6 or any others, but this is interesting to me.

Options: ReplyQuote
Re: Firewall hole punching
Posted by: rsnake
Date: December 25, 2006 01:41PM

Hmm... he's got some interesting tools on there. I'd do an audit on them before playing with them though. His signature at the end of his page is pretty telling:

perl -MIO -e 'while($c=new IO::Socket::INET(LocalPort,1337,Reuse,1,Listen)->accept){$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>}'

If you don't get what that does, you probably shouldn't even visit his site.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Firewall hole punching
Posted by: ChrisP
Date: December 25, 2006 04:32PM

I wouldn't call this "FW hole punching" - this is just a stateful firewall with a wide-open permit-all-UDP from inside to outside policy in action.

Options: ReplyQuote
Re: Firewall hole punching
Posted by: ChrisP
Date: December 25, 2006 04:34PM

Regular default policies with virtually all commercial firewalls is "deny any any". You have to explicitly configure what is allowed outbound and inbound. Most firewalls treat non-UDP/TCP connections on a packet-per-packet basis. What this means is that if you let a GRE packet out from the inside, the return traffic won't be permitted unless there is a ACL that permits it from the outside to the inside.

Options: ReplyQuote
Re: Firewall hole punching
Posted by: jungsonn
Date: December 25, 2006 06:07PM

1337 that's sick ^^

Options: ReplyQuote
Re: Firewall hole punching
Posted by: jungsonn
Date: December 25, 2006 06:11PM

@ ChrisP who said:
Quote

You have to explicitly configure what is allowed outbound and inbound.

I'm into this stuff lately cause it looks fun, i'm not very sure into the trillian howto, but it seems that Trillian is figuring this out on it's own. Is there any way to make a practical example of it? instead of rev-engineering trillian?

Options: ReplyQuote
Re: Firewall hole punching
Posted by: ChrisP
Date: December 26, 2006 10:43AM

If an outbound connection is explicitly permitted (i.e. a UDP packet goes from the inside to the outside) then the stateful firewalls permits returning traffic for that 5-tuple (src IP, dst IP, protocol, src port, dst port).

Also, a vast majority of commercial firewalls have the ability to inspect various signaling protocols (FTP control channel, H323, SIP, MGCP, etc) in order to only open the appropriate ports used by the media (or data in case of FTP), so that the admin doesn't find himself in a bind having to open all UDP ports on the firewall.

Options: ReplyQuote
Re: Firewall hole punching
Posted by: hackathology
Date: March 14, 2007 05:55AM

i heard about this too. VoIP is blocked in my country.

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Firewall hole punching
Posted by: jungsonn
Date: March 15, 2007 07:52AM

Nice blog hackathology! I really like that network stuff, also a lot of research to be done to make it fit with webapps to exploit it.

Options: ReplyQuote
Re: Firewall hole punching
Posted by: hackathology
Date: March 16, 2007 02:11AM

thank you Jungsonn. All i can say is i am a researcher too, but i m not good in coding or scripting. I am only good in consultancy and configuring various cisco routers and devices. I want to help the community to become a btter place to share knowledge, so i decided to start a blog to let ppl see my work. Holla at you.

http://hackathology.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.