what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

firewall.steno.txt

firewall.steno.txt
Posted Sep 24, 2002
Authored by Lee Bowyer | Site networkpenetration.com

Bypassing firewalls through protocol stenography - You can often bypass firewalls by using trojans that send commands over port 80.

tags | paper, trojan, protocol
SHA-256 | f685fd1b46ed2b24b119f2bd1cb2183c29efd76645c61dc4ade029b9bf0c8d4d

firewall.steno.txt

Change Mirror Download
Lee Bowyer
Lee@networkpenetration.com

Firewall bypass via protocol stenography
::::::::::::::::::::::::::::::::::::::::
This paper demonstrates flaws in current firewall architecture through the use of protocol stenography.

Overview of Firewall Design
::::::::::::::::::::::::::-
Firewall design is basically split into three main areas:

Port blocking -
A port blocking firewall, does exactly what is says on the tin, it just blocks ports.
e.g. you want to allow traffic to travel from your network to only webservers, you would block all ports outgoing except port 80.

It is a very fast, cheap and very lightwieght on hardware. Unfortunatly it is very easy to bypass.

This type a firewall _should_ not be in use today as it is a trivial case to bind your RAT (Remote Access Trojan) to use port 80 on the way out.

Proxy -
A proxy firewall takes requests from an internal client for the relevant protocol and then passes it out as a request from itself to the internet. Then the reply is passed back to
the originating client. This is inherently secure because the client themselves have no _real_ connection to the outside world.
e.g. you only need a http proxy to only allow web access.

As there is no real connection a trojan has no route back to the attacker.

This is a very clunky solution, there is a need for a seperate proxy for every protocol the firewall needs to allow through, and the lack of transparency to the end user (every
client app need to be configured to use the proxy) bought up the third design.

Stateful Inspection -
Stateful inspection is similar to a port blocking firewall, except that when traffic travels out through port 80, to a web server, it is checked to make sure it is really http stuff. This
is a very effective method for firewalling as it makes the rebinding of a trojan a pointless task as the firewall will drop non (in this example) http traffic.

Bypass
::::::
In order to communicate with a RAT we need to be able to send AND recieve data to AND from the trojan and its control. We need an upstream and a downstream.

To communicate with a RAT through a firewall we need to identify an upstream and a downstream we can hijack to put our data in. I choose http. (It is usally allowed..)

Using http it is possible to bypass both http proxy firewalls and stateful inspection firewalls.

Upstream
::::::::
As a upstream, from the RAT to it's control, I choose http GET request. A typical http get looks like this :

GET /somedir/somefile.html HTTP/1.0

Now to use this a covert data path is fairly easy, the RAT already inside the network, (sent as email, browser bug etc.) only has to append its data to the end of the GET
request and send it to the control (fake) webserver. e.g.

GET /somedir/somefile.html?covertdataleakingaway HTTP/1.0

The fake webserver at the control end will the pickup the sent URL drop everything before the question mark, leaving just our data, successfully sent out and through the
firewall, because it looked like a valid http GET request.

Downstream
::::::::::
For the downstream from the control to the RAT, a fake webserver is required, when sent a GET, after the control decodes the upstream, a webpage complete with images,
is served to our RAT via a standard http 200 OK reply. The data to be sent in the downstream can be anywhere in that 200 OK reply. I use stenography on the images, but
you could place it in the html if you wanted to.

Diagram
::::::-

RAT<::::stenographied images<::::control
RAT::::>http GET request::::::::>webserver

Conclusion
::::::::::
Using protocol stenography it is possible to bypass probably all firewalls. You would need to find out which protocols the firewall allowed and then locate redundant
information in that particular protocol. I use http as an example as it is the most usally allowed on a firewall.

This is a very hard hole to plug as a firewall needs to let through some valid traffic, and by hiding as that valid traffic we circumvent it's security.

Demo client/server coming soon..


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close