From: Hazel, Scott A. (Scott.Hazel@unisys.com)
Date: Wed Jan 11 2006 - 01:38:28 EST
Hello Amin.
I'm not a pen-tester but how does this utility differ from netcat? From
the examples in the readme, they seem to do much of the same thing.
Thanks.
Scott Hazel
-----Original Message-----
From: Amin Tora [mailto:amintora@gmail.com]
Sent: Tuesday, January 10, 2006 8:24 PM
To: pen-test@securityfocus.com
Subject: fwop: win32 tcp port proxy tool
I wanted to share a utility I wrote a while back for win32 based
platforms. I've used it off and on during pen testing. And wanted some
feedback.
This version I'm making publicly available retains the payload in clear
without encoding or encryption ... later releases may include encoding
- i.e. protocol tunneling/cloaking' as well as encryption
{HTTPS,SSH,etc.}
It's available at: http://www.int0x21.com/projects.html
Below is the readme for the tool.
----------------------=[ 0x01 Introduction ]=-----------------------
fwop is a multi-threaded console application written in C for win-32
based platforms. It relies on Microsoft winsock DLL version 2 which
comes with Windows operating systems. It allows the user to relay or
'proxy' any TCP based communications between processes on the local
system or on remote systems.
----------------------=[ 0x02 Uses ]=-----------------------
---tcp port proxying---
fwop can be used to proxy TCP connections over different ports when
there is a firewall or access list disallowing communications over
default ports. Let's say you would like to run Microsoft remote desktop
through a firewall or router [fw] with access lists that blocks such
traffic.
In a normal remote desktop connection, a client would allocate a random
high tcp port (>1023} and use that port to connect to the server's tcp
port 3389, like so:
[client](1234)---------->(3389)[server]
Now, let's say you have a router or firewall that blocks traffic
destined to port tcp 3389 and does not allow you to make such a
connection:
[client](1234)-------->x[FW].......(3389)[server]
But let's say that the firewall allows tcp port 80 (http) traffic
outbound from the server side. If so, you can use fwop on both endpoints
and relay the traffic over port tcp:80.
(rdpclient)--->[fwop]<----------[fwop]---->(rdpserver)
In this scenario, fwop on the client listens on two ports. fwop on the
server makes a connection to the rdp server and initiates a connection
over port 80 to fwop on the client. The rdp client software establishes
a connection to fwop on the client. The connection is tunneled between
the client and server.
This is how you'd use fwop to perform this:
a. on [client]{ip:10.1.1.5}
run fwop to listen on two available ports like 4444 and 80 like so:
fwop 4444 80
b. on [server]{ip:10.2.2.5}
run fwop to connect to the local rdp server (tcp:3389) and connect
to fwop
running on the client over tcp:80 like so:
fwop 127.0.0.1:3389 10.2.2.5:80
c. on [client]
run the rdp client software and connect to localhost (127.0.0.1) on
tcp port
that fwop is listening on {in our case tcp:4444}.
The following depicts this setup:
[client] [server]
[rdpc]-->(4444)[fwop](80)<----[fw]----(highport)[fwop](highport)--->(338
9)[rdps]
In this scenario, the firewall only allows tcp:80 outbound from the
server side.
By using fwop, we've bypassed the firewall and established a direct
connection from outside the firewall to the server on port 3389 by
tunneling the traffic via a connection initiated by the server.
This of course requires some other control vector on the server side
that you can manipulate.
---attack proxying---
Replace client above with metasploit attack tool
[http://www.metasploit.com/]... you get the picture...
And the remote system does not have to be the same host - it could be
another host inside the network behind the firewall. ;)
---network ips testing---
You can also use fwop to test your ips configuration to see if it can
detect anomalies in the communications. For example, normal telnet
traffic should not have a large amount of data. Also, the IPS should
detect that traffic on specific ports should match protocol
specifications {i.e. HTTP, SSH, HTTPS/SSL/TLS, DNS, etc.... re: anomaly
detection...
----------------------=[ 0x03 Known Limitations]=-----------------------
1. Host based IPS systems may block fwop as it relies on winsock DLL.
2. Traffic tunneled is left entact without any form of 'cloaking'.
Therefore
smarter firewalls and network based ips systems may detect, alert
and/or
prohibit the traffic.
----------------------=[ 0x04 Final Notes
]=-----------------------
1. If you use fwop in your applications please let me know.
2. Next release of fwop will have ability to cloack traffic based on the
well known ports and behave as a client/server conforming to protocol
specificatoins to bypass network based IDS/IPS and firewalls with
content aware intelligence.
-- Amin Tora http://www.int0x21.com ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:21 EDT