IPSEC filters used by Windows 2000 & XP
来源:互联网 发布:台湾知乎 编辑:程序博客网 时间:2024/06/10 18:40
Hi folks,
??? As a result of a recent engagement looking at Windows host hardening, I came
across this little trick and thought it might be useful at some point. The Micr
osoft IPSEC filters used by Windows 2000 & XP can be bypassed by choosing a sour
ce port of 88 (Kerberos).
First off, Microsoft themselves state that IPSEC filters are not designed as a f
ull featured host based firewall [1] and it is already known that certain types
of traffic are exempt from IPSEC filters [2] and they can be summarised as:
* Broadcast
* Multicast
* RSVP
* IKE
* Kerberos
In a Microsoft support note [2] there is the line:
"The Kerberos exemption is basically this: If a packet is TCP or UDP and has a s
ource or destination port = 88, permit."
The test host here has a "block all" rule created using:
ipsecpol.exe -x -w REG -p "The Black Knight" -r "NoneShallPass" -n BLOCK -f
0=*::*
Normal Nmap scan:
# nmap -sS -v -v -P0 --initial_rtt_timeout 10 --max_rtt_timeout 20 172.25.0.14
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-19 18:14 BST Hos
t 172.25.0.14 appears to be up ... good. Initiating SYN Stealth Scan against 172
.25.0.14 at 18:14 The SYN Stealth Scan took 7 seconds to scan 1659 ports. Intere
sting ports on 172.25.0.14: (The 1658 ports scanned but not shown below are in s
tate: filtered)
PORT?? STATE? SERVICE
88/tcp closed kerberos-sec
Nmap run completed -- 1 IP address (1 host up) scanned in 7.017 seconds
Port 88 closed is the hint, Nmap again using this source port:
# nmap -sS -v -v -P0 -g 88 --initial_rtt_timeout 10 --max_rtt_timeout 20 172.25.
0.14
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-19 18:14 BST Hos
t 172.25.0.14 appears to be up ... good. Initiating SYN Stealth Scan against 172
.25.0.14 at 18:14 Adding open port 445/tcp Adding open port 135/tcp Adding open
port 139/tcp Adding open port 1433/tcp Adding open port 1027/tcp Adding open por
t 1025/tcp The SYN Stealth Scan took 0 seconds to scan 1659 ports. Interesting p
orts on 172.25.0.14: (The 1653 ports scanned but not shown below are in state: c
losed)
PORT???? STATE SERVICE
135/tcp? open? msrpc
139/tcp? open? netbios-ssn
445/tcp? open? microsoft-ds
1025/tcp open? NFS-or-IIS
1027/tcp open? IIS
1433/tcp open? ms-sql-s
Nmap run completed -- 1 IP address (1 host up) scanned in 0.367 seconds
As can be seen, the IPSEC filters are bypassed.?? Although not designed as a
host based firewall, IPSEC filters are being used as such, particularly to block
popular attacked ports such as NETBIOS, CIFS and SQL, perhaps as [temporary] wo
rm mitigation.
In Windows 2003 all of these default exemptions have been removed with the excep
tion of IKE [1] and I believe that this may be incorporated into earlier Windows
versions at some point.
Cheers,
??????????? JJ
[1] http://support.microsoft.com/default.aspx?scid=kb;EN-US;810207
[2] http://support.microsoft.com/default.aspx?scid=kb;EN-US;253169
??? As a result of a recent engagement looking at Windows host hardening, I came
across this little trick and thought it might be useful at some point. The Micr
osoft IPSEC filters used by Windows 2000 & XP can be bypassed by choosing a sour
ce port of 88 (Kerberos).
First off, Microsoft themselves state that IPSEC filters are not designed as a f
ull featured host based firewall [1] and it is already known that certain types
of traffic are exempt from IPSEC filters [2] and they can be summarised as:
* Broadcast
* Multicast
* RSVP
* IKE
* Kerberos
In a Microsoft support note [2] there is the line:
"The Kerberos exemption is basically this: If a packet is TCP or UDP and has a s
ource or destination port = 88, permit."
The test host here has a "block all" rule created using:
ipsecpol.exe -x -w REG -p "The Black Knight" -r "NoneShallPass" -n BLOCK -f
0=*::*
Normal Nmap scan:
# nmap -sS -v -v -P0 --initial_rtt_timeout 10 --max_rtt_timeout 20 172.25.0.14
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-19 18:14 BST Hos
t 172.25.0.14 appears to be up ... good. Initiating SYN Stealth Scan against 172
.25.0.14 at 18:14 The SYN Stealth Scan took 7 seconds to scan 1659 ports. Intere
sting ports on 172.25.0.14: (The 1658 ports scanned but not shown below are in s
tate: filtered)
PORT?? STATE? SERVICE
88/tcp closed kerberos-sec
Nmap run completed -- 1 IP address (1 host up) scanned in 7.017 seconds
Port 88 closed is the hint, Nmap again using this source port:
# nmap -sS -v -v -P0 -g 88 --initial_rtt_timeout 10 --max_rtt_timeout 20 172.25.
0.14
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-19 18:14 BST Hos
t 172.25.0.14 appears to be up ... good. Initiating SYN Stealth Scan against 172
.25.0.14 at 18:14 Adding open port 445/tcp Adding open port 135/tcp Adding open
port 139/tcp Adding open port 1433/tcp Adding open port 1027/tcp Adding open por
t 1025/tcp The SYN Stealth Scan took 0 seconds to scan 1659 ports. Interesting p
orts on 172.25.0.14: (The 1653 ports scanned but not shown below are in state: c
losed)
PORT???? STATE SERVICE
135/tcp? open? msrpc
139/tcp? open? netbios-ssn
445/tcp? open? microsoft-ds
1025/tcp open? NFS-or-IIS
1027/tcp open? IIS
1433/tcp open? ms-sql-s
Nmap run completed -- 1 IP address (1 host up) scanned in 0.367 seconds
As can be seen, the IPSEC filters are bypassed.?? Although not designed as a
host based firewall, IPSEC filters are being used as such, particularly to block
popular attacked ports such as NETBIOS, CIFS and SQL, perhaps as [temporary] wo
rm mitigation.
In Windows 2003 all of these default exemptions have been removed with the excep
tion of IKE [1] and I believe that this may be incorporated into earlier Windows
versions at some point.
Cheers,
??????????? JJ
[1] http://support.microsoft.com/default.aspx?scid=kb;EN-US;810207
[2] http://support.microsoft.com/default.aspx?scid=kb;EN-US;253169
- IPSEC filters used by Windows 2000 & XP
- IPSEC filters used by Windows 2000 & XP
- IPSec-VPN Windows XP client error blog
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- 用于 Windows XP 和 Windows 2000 的 L2TP/IPSec NAT-T 更新
- ADO.NET的数据提供程序和数据连接——ADO.NET学习&应用笔记之二
- 未与信任 SQL Server 连接相关联的错误提示的解决方案
- 今天碰到了一件另我非常气愤的事……简直没有天理。
- Screen Scraping, ViewState, and Authentication using ASP.Net
- DW体系
- IPSEC filters used by Windows 2000 & XP
- Excel中序列的使用
- C语言程序设计的一些基本问题
- DIY自己的windows xp SP2安装盘.
- DataGuard - ORA-00261错误的提出
- 今天拿到了一本书
- 如何在 Repeater 的事件中得到 当前 Item 绑定的数据
- 写给心情不好的朋友
- 玄学琐谈2