Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: fwop: win32 tcp port proxy tool

from [Hazel, Scott A.] Network Security [Permanent Link]
Subject: RE: fwop: win32 tcp port proxy tool
Date: Wed, 11 Jan 2006 01:38:28 -0500 
Hello Amin. 

I'm not a pen-tester but how does this utility differ from netcat? From
the examples in the readme, they seem to do much of the same thing.
Thanks. 

Scott Hazel


-----Original Message-----
From: Amin Tora [mailto:amintora@gmail.com] 
Sent: Tuesday, January 10, 2006 8:24 PM
To: pen-test@securityfocus.com
Subject: fwop: win32 tcp port proxy tool

I wanted to share a utility I wrote a while back for win32 based
platforms.  I've used it off and on during pen testing.  And wanted some
feedback.

This version I'm making publicly available retains the payload in clear
without encoding or encryption ...  later releases may include encoding
- i.e. protocol tunneling/cloaking' as well as encryption
{HTTPS,SSH,etc.}

It's available at: http://www.int0x21.com/projects.html

Below is the readme for the tool.

----------------------=[ 0x01 Introduction     ]=-----------------------

fwop is a multi-threaded console application written in C for win-32
based platforms.  It relies on Microsoft winsock DLL version 2 which
comes with Windows operating systems. It allows the user to relay or
'proxy' any TCP based communications between processes on the local
system or on remote systems.


----------------------=[ 0x02 Uses             ]=-----------------------

---tcp port proxying---

fwop can be used to proxy TCP connections over different ports when
there is a firewall or access list disallowing communications over
default ports. Let's say you would like to run Microsoft remote desktop
through a firewall or router [fw] with access lists that blocks such
traffic.

In a normal remote desktop connection, a client would allocate a random
high tcp port (>1023} and use that port to connect to the server's tcp
port 3389, like so:

[client](1234)---------->(3389)[server]

Now, let's say you have a router or firewall that blocks traffic
destined to port tcp 3389 and does not allow you to make such a
connection:

[client](1234)-------->x[FW].......(3389)[server]

But let's say that the firewall allows tcp port 80 (http) traffic
outbound from the server side. If so, you can use fwop on both endpoints
and relay the traffic over port tcp:80.

  (rdpclient)--->[fwop]<----------[fwop]---->(rdpserver)

In this scenario, fwop on the client listens on two ports. fwop on the
server makes a connection to the rdp server and initiates a connection
over port 80 to fwop on the client. The rdp client software establishes
a connection to fwop on the client.  The connection is tunneled between
the client and server.
This is how you'd use fwop to perform this:

 a. on [client]{ip:10.1.1.5}
    run fwop to listen on two available ports like 4444 and 80 like so:

        fwop 4444 80

 b. on [server]{ip:10.2.2.5}
    run fwop to connect to the local rdp server (tcp:3389) and connect
to fwop
    running on the client over tcp:80 like so:

        fwop 127.0.0.1:3389 10.2.2.5:80

 c. on [client]
    run the rdp client software and connect to localhost (127.0.0.1) on
tcp port
    that fwop is listening on {in our case tcp:4444}.

The following depicts this setup:

       [client]                                         [server]
[rdpc]-->(4444)[fwop](80)<----[fw]----(highport)[fwop](highport)--->(338
9)[rdps]


In this scenario, the firewall only allows tcp:80 outbound from the
server side.
By using fwop, we've bypassed the firewall and established a direct
connection from outside the firewall to the server on port 3389 by
tunneling the traffic via a connection initiated by the server.

This of course requires some other control vector on the server side
that you can manipulate.

---attack proxying---

Replace client above with metasploit attack tool
[http://www.metasploit.com/]... you get the picture...

And the remote system does not have to be the same host - it could be
another host inside the network behind the firewall.  ;)

---network ips testing---

You can also use fwop to test your ips configuration to see if it can
detect anomalies in the communications.  For example, normal telnet
traffic should not have a large amount of data. Also, the IPS should
detect that traffic on specific ports should match protocol
specifications {i.e. HTTP, SSH, HTTPS/SSL/TLS, DNS, etc.... re: anomaly
detection...


----------------------=[ 0x03 Known Limitations]=-----------------------

1. Host based IPS systems may block fwop as it relies on winsock DLL.

2. Traffic tunneled is left entact without any form of 'cloaking'.
Therefore
   smarter firewalls and network based ips systems may detect, alert
and/or
   prohibit the traffic.

----------------------=[ 0x04 Final Notes
]=-----------------------

1. If you use fwop in your applications please let me know.

2. Next release of fwop will have ability to cloack traffic based on the
well known ports and behave as a client/server conforming to protocol
specificatoins to bypass network based IDS/IPS and firewalls with
content aware intelligence.


--
Amin Tora
http://www.int0x21.com

------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Pentesting a WEP-protected wifi network, Francisco Pecorella
Next by Date:  Re: Pentesting a WEP-protected wifi network, David M. Zendzian
Previous by Thread:  fwop: win32 tcp port proxy tool, Amin Tora
Next by Thread:  Re: fwop: win32 tcp port proxy tool, Amin Tora
Indexes:  [Date] [Thread] [Top] [All Lists]