Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions
From: David Pick <D.M.Pick () QMW AC UK>
Date: Wed, 27 Sep 2000 17:11:26 +0100


The network has no remote access points (it does not have a VPN or any
Dial-Up Servers).  It has only a sever, router, & firewall.

The firewall is doing both NAT and Stateful Packet Inspection (SPI from here
on in).  There are no rules with the exception of the default (anything
going out can go out but nothing can come in unless the firewall has cached
or is aware of the potential incoming connection).  If the connection comes
back in on a different port then the firewall expects (assumes) it will drop
the connection.

Is there anyway to circumvent this firewall (or any firewalls that employ
NAT and SPI as there primary defense mechanisms?)  Is there anyway to get
direct access to the server?  I have port scanned the router and found
listening ports and remote administration software but I am curious as to
how one could circumvent the firewall (if this is done through hijacking the
router I would be curious about that also).

Of course:
 1) Set up an "attractive" Web site
 2) Insert a java-based applet that contacts your Web server but shows
    nothing in the browser window
 3) Use "human engineering" to get your friend to look at the Web site
 4) The java applet can establish connections *out* to the Web site and
    pass any data in any direction it likes
 5) In particular, bugs in the JVM may allow nefarious code to run
 1) Send a VBS "virus"/worm that establishes an outward connection to
    a server with more data/code/scripts to execute
 2) Your friend opens the message and establishes the outward call...
 1) Use "human engineering" to get your friend to load a "security
    patch" onto his machine which establishes an outward call.
 2) Your friend runs the "patch" and makes the outward call...

But it's still a lot stronger than most people and will keep most
"script kiddies" out.

        David Pick

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]