mailing list archives
Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions
From: David Pick <D.M.Pick () QMW AC UK>
Date: Wed, 27 Sep 2000 17:11:26 +0100
The network has no remote access points (it does not have a VPN or any
Dial-Up Servers). It has only a sever, router, & firewall.
The firewall is doing both NAT and Stateful Packet Inspection (SPI from here
on in). There are no rules with the exception of the default (anything
going out can go out but nothing can come in unless the firewall has cached
or is aware of the potential incoming connection). If the connection comes
back in on a different port then the firewall expects (assumes) it will drop
Is there anyway to circumvent this firewall (or any firewalls that employ
NAT and SPI as there primary defense mechanisms?) Is there anyway to get
direct access to the server? I have port scanned the router and found
listening ports and remote administration software but I am curious as to
how one could circumvent the firewall (if this is done through hijacking the
router I would be curious about that also).
1) Set up an "attractive" Web site
2) Insert a java-based applet that contacts your Web server but shows
nothing in the browser window
3) Use "human engineering" to get your friend to look at the Web site
4) The java applet can establish connections *out* to the Web site and
pass any data in any direction it likes
5) In particular, bugs in the JVM may allow nefarious code to run
1) Send a VBS "virus"/worm that establishes an outward connection to
a server with more data/code/scripts to execute
2) Your friend opens the message and establishes the outward call...
1) Use "human engineering" to get your friend to load a "security
patch" onto his machine which establishes an outward call.
2) Your friend runs the "patch" and makes the outward call...
But it's still a lot stronger than most people and will keep most
"script kiddies" out.