Re: Cracking a server without services

From: Warwick Poole (warwick-lists@globalvision.com)
Date: 07/12/02 

From: Warwick Poole <warwick-lists@globalvision.com>
To: Jeff Aufderheide <j.aufderheide@attbi.com>, security-basics@securityfocus.com
Date: 12 Jul 2002 15:52:38 +0100

On the point of Fragrouter being able to use fragments to bypass
packetfiltering firewalls, could you not use a rule like

iptables -A INPUT -i eth0 -f -j DROP

to drop fragments on the perimeter router, thus preventing fragrouter
from being able to do this?

As far as I know, the only reason for fragments would be for NFS
services, which I would never want to cross my perimeter router anyway.

Warwick

On Thu, 2002-07-11 at 23:06, Jeff Aufderheide wrote:
> In-Reply-To: <3D2D39C2.11150.19DF84@localhost>
>
> Hi Mr.Bremer-
> I just thought I would give some info about getting past a packet
> filtering firewall. It is not as difficult as one would think. All you
> would need is the right tool. And......that tool is called Frag Router.
> It is in my estimation that this program can get past 2/3 IDS and Packet
> filtering Devices. Although there are plans in the works to correct this
> issue by implementing an IDS system on both host and destination boxes
> (very expensive indeed).
>
> Now to answer the other gentlemen's question. And, someone correct me if
> I'm wrong, But the only conceivable way to gain access to a computer
> without any services running would be gaining local access to the box
> itself and logging in as admin or a user account. From there, depending
> on which OS you want to take advantage of (for example MS2k) you could
> boot into DOS or a version of Linux and download the SAM file to a floppy
> disk. If all of your ports are closed you will not communicate to anyone
> in the world, Nothing in - Nothing out.
>
> I hope this answers your questions.
>
> V/R
>
> Jeff Aufderheide
>
> Unfortunately I can't point you to any information regarding this, but I
> can offer a little input. Cracking a machine with no services running
> would be VERY difficult indeed (I wouldn't say "impossible" though).
> Machines that are used as a packet filtering firewall fall into this
> category.
>
> What is more likely to happen than cracking the machine itself is
> finding a problem in the packet filtering rules that would allow a
> cracker unauthorized access to a host that is being protected by the
> firewall. On rare occasions, there may even be a bug in the packet
> filtering code itself that could create the same problem.
>
> Steve Bremer
>

Relevant Pages

  • Re: Kerio PFW 2.14 - Safe?
    ... >> down user interface. ... Then consider the fact that most packet ... If Kerio 'X' says it's stateful it most ... >> way to know for sure would be to stand between the firewall and the ...
    (comp.security.firewalls)
  • RE: Reassembling IP packet Fragments w/o First Fragment
    ... If you force packet reassembly to occur on a router/firewall, ... If you drop second/subsequent fragments that arrive before the ... > packets once they all pass through the firewall. ...
    (Security-Basics)
  • Re: Firewall questions -- what is ...?
    ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...
    (microsoft.public.security)
  • Re: Egress filtering
    ... > packet only with the public IP of the firewall address. ... > The ipfilter has drop/log packet before NAT. ... That is it does filtering before NAT ...
    (FreeBSD-Security)
  • Re: Max iptables rules?
    ... Here is my understanding of how Iptables processes firewall rules, ... Lets say the above is our firewall with 1000 rules in it. ... The packet will be compared to the list. ... On the 3rd rule, iptables will find a match and will allow the packet, ...
    (comp.security.firewalls)