Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[REVS] Placing Backdoors Through Firewalls

from [SecuriTeam] Network Security [Permanent Link]
Subject: [REVS] Placing Backdoors Through Firewalls
Date: 17 Apr 2005 17:13:31 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Placing Backdoors Through Firewalls
------------------------------------------------------------------------


SUMMARY

This article describes possible back-doors through different firewall 
architectures. However, the material can also be applied to other 
environments to describe how hackers  cover their access to a system.

DETAILS

Hackers often want to retain access to systems they have penetrated even 
in the face of obstacles such as new firewalls and patched 
vulnerabilities. To accomplish this the attackers must install a back-door 
which a) does it's job and b) is not easily detectable. The kind of 
back-door needed depends on the firewall architecture used.

Firewall Architectures:
There are two basic firewall architectures and each has an enhanced 
version:

Packet Filters:
This is a host or router which checks each packet against an allow/deny 
rule-table before routing it through the correct interface. There are very 
simple ones which can only filter from the origin host, destination host 
and destination port, as well as good ones which can also decide based on 
incoming interface, source port, day/time and some TCP or IP flags. This 
could be a simple router, f.e. any Cisco, or a Linux machine with 
firewalling activated (ipfwadm).

Stateful Filters:
This is the enhanced version of a packet filter. It still does the same 
checking against a rule table and only routes if permitted, but it also 
keeps track of the state information such as TCP sequence numbers. Some 
pay attention to application protocols which allows tricks such as only 
opening ports to the interior network for ftp-data channels which were 
specified in a permitted ftp session. These filters can (more or less) get 
UDP packets (f.e. for DNS and RPC) securely through the firewall. (Thats 
because UDP is a stateless protocol. And it's more difficult for RPC 
services.)
This could be a great OpenBSD machine with the ip-filter software, a Cisco 
Pix, Watchguard, or the (in)famous Checkpoint FW-1.

Proxies / Circuit Level Gateways:
A proxy as a firewall host is simply any server which has no routing 
activated and instead has proxy software installed. Examples of proxy 
servers which may be used are squid for WWW, a Sendmail relay 
configuration and/or just a socked.

Application Gateways:
This is the enhanced version of a proxy. Like a proxy, for every 
application which should get through the firewall a software must be 
installed and running to proxy it. However, the application gateway is 
smart and checks every request and answer, f.e. that an outgoing FTP only 
may download data but not upload any, and that the data has got no virus, 
no buffer overflows are generated in answers etc. One can argue that squid 
is an application gateway, because it does many sanity checks and let you 
filter stuff but it was not programmed for the installation in a secure 
environment and still has/had security bugs.

A good example for a freeware kit for this kind is the TIS firewall 
toolkit (fwtk).

Most firewalls that vendors sell on the market are hybrid firewalls, which 
means they've got more than just one type implemented; for example the IBM 
Firewall is a simple packet filter with socks and a few proxies. I won't 
discuss which firewall product is the best, because this is not a 
how-to-by-a-firewall paper, but I will say this: application gateways are 
by far the most secure firewalls, although money, speed, special 
protocols, open network policies, stupidity, marketing hype and bad 
management might rule them out.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:sanandres@gmail.com> Sumy .
The original article can be found at:  
<http://www.exploitx.com/forum/azbb.php?1113350365> 
http://www.exploitx.com/forum/azbb.php?1113350365



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [REVS] Placing Backdoors Through Firewalls, SecuriTeam <=
Previous by Date:  [EXPL] Vulnerabilities in TCP/IP Allow Remote Code Execution and DoS (MS05-019, Exploit), SecuriTeam
Next by Date:  [EXPL] Explorer.exe WMF Parsing DoS (Exploit), SecuriTeam
Previous by Thread:  [EXPL] Vulnerabilities in TCP/IP Allow Remote Code Execution and DoS (MS05-019, Exploit), SecuriTeam
Next by Thread:  [EXPL] Explorer.exe WMF Parsing DoS (Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]