Re: Win2K & XP IPSEC Filtering bypass

From: Adam Tuliper (amt@gecko-software.com)
Date: Thu May 20 2004 - 15:45:08 EDT


This trick is pretty old and can be disabled.
see
http://support.microsoft.com/default.aspx?scid=kb;en-us;811832

On Wed, 19 May 2004 22:48:26 +0100
 "JJ Gray" <jj@irmplc.com> wrote:
> Hi folks,
> As a result of a recent engagement looking at Windows
> host hardening, I
> came across this little trick and thought it might be
> useful at some point.
> The Microsoft IPSEC filters used by Windows 2000 & XP can
> be bypassed by
> choosing a source port of 88 (Kerberos).
>
> First off, Microsoft themselves state that IPSEC filters
> are not designed as
> a full featured host based firewall [1] and it is already
> known that certain
> types of traffic are exempt from IPSEC filters [2] and
> they can be
> summarised as:
>
> * Broadcast
> * Multicast
> * RSVP
> * IKE
> * Kerberos
>
> In a Microsoft support note [2] there is the line:
> "The Kerberos exemption is basically this: If a packet is
> TCP or UDP and has
> a source or destination port = 88, permit."
>
> The test host here has a "block all" rule created using:
>
> ipsecpol.exe -x -w REG -p "The Black Knight" -r
> "NoneShallPass" -n BLOCK -f
> 0=*::*
>
> Normal Nmap scan:
>
> # nmap -sS -v -v -P0 --initial_rtt_timeout 10
> --max_rtt_timeout 20
> 172.25.0.14
>
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at
> 2004-05-19 18:14 BST
> Host 172.25.0.14 appears to be up ... good.
> Initiating SYN Stealth Scan against 172.25.0.14 at 18:14
> The SYN Stealth Scan took 7 seconds to scan 1659 ports.
> Interesting ports on 172.25.0.14:
> (The 1658 ports scanned but not shown below are in state:
> filtered)
> PORT STATE SERVICE
> 88/tcp closed kerberos-sec
>
> Nmap run completed -- 1 IP address (1 host up) scanned in
> 7.017 seconds
>
> Port 88 closed is the hint, Nmap again using this source
> port:
>
> # nmap -sS -v -v -P0 -g 88 --initial_rtt_timeout 10
> --max_rtt_timeout 20
> 172.25.0.14
>
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at
> 2004-05-19 18:14 BST
> Host 172.25.0.14 appears to be up ... good.
> Initiating SYN Stealth Scan against 172.25.0.14 at 18:14
> Adding open port 445/tcp
> Adding open port 135/tcp
> Adding open port 139/tcp
> Adding open port 1433/tcp
> Adding open port 1027/tcp
> Adding open port 1025/tcp
> The SYN Stealth Scan took 0 seconds to scan 1659 ports.
> Interesting ports on 172.25.0.14:
> (The 1653 ports scanned but not shown below are in state:
> closed)
> PORT STATE SERVICE
> 135/tcp open msrpc
> 139/tcp open netbios-ssn
> 445/tcp open microsoft-ds
> 1025/tcp open NFS-or-IIS
> 1027/tcp open IIS
> 1433/tcp open ms-sql-s
>
> Nmap run completed -- 1 IP address (1 host up) scanned in
> 0.367 seconds
>
> As can be seen, the IPSEC filters are bypassed.
> Although not designed as a
> host based firewall, IPSEC filters are being used as
> such, particularly to
> block popular attacked ports such as NETBIOS, CIFS and
> SQL, perhaps as
> [temporary] worm mitigation.
>
> In Windows 2003 all of these default exemptions have been
> removed with the
> exception of IKE [1] and I believe that this may be
> incorporated into
> earlier Windows versions at some point.
>
> Cheers,
> JJ
>
>
> [1]
>
http://support.microsoft.com/default.aspx?scid=kb;EN-US;810207
> [2]
>
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253169
>

---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT