Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
PaulDotCom Security Weekly - Episode 181 - For Wednesday December 23, 2009
- Upcoming webcasts - In January we will be doing two webcasts. Core Security will be sponsoring one, and Cenzic will be sponsoring the other. John Strand and myself will be speaking about client side exploitation for the Core webcast, and tips to be a better web application penetration tester for the Cenzic one. Registration links coming soon!
- Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
- Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, starting March 28th. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University.
- QuahogCon Call for Papers - QuahogCon is a Southern New England conference for the hacker culture in all forms, and is looking for presentations!
- Shmoocon - This will be the next big conference that we will all be attending. We will have t-shirts and other special things to give away and sell. No, we are not selling the interns (who will both be there, btw). So come find us at the booth for all things PaulDotCom including free stickers, and PaulDotCom complete works DVDs!
Feats of Strength: Windows Firewall & Logging with John Strand
Windows firewall options… Does it suck as bad as you think?
I know that is a short answer but this Tech Segment is going to be a bit of a rant.
This is not about all of the wonderful third party products out there that suck-less™ it is about the built in options you have in Windows to handle packets. For this, I focused on two capabilities in Windows; the built-in firewall and IPSec. Often there are discussions of which one is better and how you should never, ever use one or the other.. Rather then go down that path we will talk about both and why they both kind-of-suck™. Why am I doing this? We cover on a regular basis how as penetration testers we need to live off the land and sharpen our command-line Kung-fu. I think this is applicable for defending as well. If all I give you to defend a box is the box itself you should be able to pull this off. This is all part of the Blue Team Playbook we started talking about a few weeks ago.
I got excited when I saw the new advfirewall options in netsh and I thought it would be like the standard firewall context but with less-suck™.
I was wrong. It appears that Windows is taking fairly basic commands with netsh firewall and making them more convoluted.
Please see below for a full range of options:
Rather then do a full comparison I wanted to focus this segment on logging.
Because logs are cool.
What I am really after is a way to log every dropped packet. That doesn't seem to hard. After all, it looks like it might do it!!
2009-12-21 10:57:02 DROP UDP 172.16.30.1 172.16.30.255 61452 137 78 - - - - - - - RECEIVE 2009-12-21 10:57:05 DROP UDP 172.16.30.1 172.16.30.255 64002 137 78 - - - - - - - RECEIVE 2009-12-21 10:57:05 DROP UDP 172.16.30.1 172.16.30.255 64002 137 78 - - - - - - - RECEIVE 2009-12-21 10:57:05 DROP UDP 172.16.30.1 172.16.30.255 64002 137 78 - - - - - - - RECEIVE 2009-12-21 10:58:18 DROP TCP 172.16.30.139 172.16.30.138 33640 49152 44 S 2141341115 0 4096 - - - RECEIVE 2009-12-21 10:58:18 DROP TCP 172.16.30.139 172.16.30.138 33641 49152 44 S 2141406650 0 1024 - - - RECEIVE 2009-12-21 10:58:23 DROP TCP 172.16.30.139 172.16.30.138 33640 49156 44 S 2141341115 0 4096 - - - RECEIVE 2009-12-21 10:58:23 DROP TCP 172.16.30.139 172.16.30.138 33640 49155 44 S 2141341115 0 4096 - - - RECEIVE
So I get excited. Turn on the firewall and have it drop all incoming connections then start a standard nmap portscan. I am excited… My nipples are hard, this could be a great day.
When I am done… I get this:
2009-12-19 13:34:48 DROP TCP 172.16.30.135 172.16.30.138 46126 49155 44 S 1540354817 0 4096 - - - RECEIVE 2009-12-19 13:34:48 DROP TCP 172.16.30.135 172.16.30.138 46127 49155 44 S 1540289280 0 4096 - - - RECEIVE 2009-12-19 13:34:49 DROP TCP 172.16.30.135 172.16.30.138 46126 49153 44 S 1540354817 0 4096 - - - RECEIVE 2009-12-19 13:34:49 DROP TCP 172.16.30.135 172.16.30.138 46127 49153 44 S 1540289280 0 1024 - - - RECEIVE 2009-12-19 13:34:52 DROP TCP 172.16.30.135 172.16.30.138 46126 139 44 S 1540354817 0 4096 - - - RECEIVE 2009-12-19 13:34:52 DROP TCP 172.16.30.135 172.16.30.138 46127 139 44 S 1540289280 0 1024 - - - RECEIVE 2009-12-19 13:34:57 DROP TCP 172.16.30.135 172.16.30.138 46126 49156 44 S 1540354817 0 1024 - - - RECEIVE 2009-12-19 13:34:57 DROP TCP 172.16.30.135 172.16.30.138 46127 49156 44 S 1540289280 0 2048 - - - RECEIVE 2009-12-19 13:34:58 DROP TCP 172.16.30.135 172.16.30.138 46126 445 44 S 1540354817 0 1024 - - - RECEIVE 2009-12-19 13:34:58 DROP TCP 172.16.30.135 172.16.30.138 46127 445 44 S 1540289280 0 4096 - - - RECEIVE 2009-12-19 13:34:58 DROP TCP 172.16.30.135 172.16.30.138 46126 49152 44 S 1540354817 0 4096 - - - RECEIVE 2009-12-19 13:34:58 DROP TCP 172.16.30.135 172.16.30.138 46127 49152 44 S 1540289280 0 4096 - - - RECEIVE 2009-12-19 13:35:01 DROP TCP 172.16.30.135 172.16.30.138 46126 135 44 S 1540354817 0 2048 - - - RECEIVE 2009-12-19 13:35:01 DROP TCP 172.16.30.135 172.16.30.138 46127 135 44 S 1540289280 0 3072 - - - RECEIVE 2009-12-19 13:35:03 DROP TCP 172.16.30.135 172.16.30.138 46126 49154 44 S 1540354817 0 3072 - - - RECEIVE 2009-12-19 13:35:03 DROP TCP 172.16.30.135 172.16.30.138 46127 49154 44 S 1540289280 0 2048 - - - RECEIVE
What? Shouldn't there be more?
Nope… That is it.
I am sure you want to know if I enabled logging like so:
netsh firewall>set logging droppedpackets=ENABLE
Oh!!! There are other options you can play with too!!!
netsh firewall>set logging connections=ENABLE
Wait…?? There are four?
set logging [ [ filelocation = ] path [ maxfilesize = ] 1-32767 [ droppedpackets = ] ENABLE|DISABLE [ connections = ] ENABLE|DISABLE ]
Check this out for a comparison:
I knew I was missing something -- simple? So I contacted the smartest Windows guy I know, Jason Fossen. He said, and I am paraphrasing here, "yep."
You see there is a possibility that there is some rate filtering happening somewhere either in the TCP/IP Stack or in the firewall itself where it will not catch and display the packets it is dropping and logging…
We can call it the vortex-of-suck™
For the next session I am going to discuss IPSec filters it the hope that it is better.
If I were you, I would not get my hopes up.
Stories For Discussion
- The drone stuff gets better - [Larry] So now, not only are other video feeds form other military devices allegedly viewable, the feeds that do exist contain alleged mission control metadata in the stream. Mmmm, metadata. Think that might be useful? It also looks like my assessment of the situation was right
- Zap your RFID tags - [Larry] - Please don't do it to mine. By pulsing some high powered EM, it can burn out RFID chips and some usb drives. This souds like a project for a shop night…
- ActionScript FAIL - [Larry] - Wow, so some certain ActionScript can be poorly configured so that it will allow for XSS after a user clicks on the flash object. No one wool EVER click on a flash object, would they? Certainly not one one of the possible 8 MILLION affected websites...
- "Cheat" Sheet Jackpot! - [PaulDotCom] - most people love cheat sheets. I do to, because I don't want to have to read useless crap when you can just tell me how to do something. Cheat sheets are great, they can be used to document some of those more obscure command options that you figured out once, but have since forgotten.
- Mitigation? - [PaulDotCom] - Adobe comes out and says that DEP will protect users from exploitation of a vulnerability (APSA09-07). However, Immunity has an exploit working on XP SP3 32-bit with DEP enabled. W00t! Go immunity, thats just so awesome. Adobe, get your act together. Pen testers and security teams, have a penetration testing process that can uncover stuff like this.
- pfsense walk-through - [pauldotcom] - pfsense looks awesome, detects the NIC cards for you, web interface, FreeBSD based. For a firewall, this is what i am going with, especially now there is this nice tutorial.
- When Will People Learn - [PaulDotCom] - This story just kills me. I mean its neat, hackers stealing cash from ATMs, arrests, Russia, all very Hollywood. However this part just makes me want to jump up and slap someone, "¿gained unauthorized access to 7-Eleven, Inc.¿s servers through 7-Eleven¿s public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,¿". We preach about SQL injection, we show people how to find it. We also tell people not to be stupid and design their network like its 1994. Wise up people, this isn't rocket science!
- The 5 Essential Patches of 2009! - [PaulDotCom] - So, if you read the title of that article and said, "Great, I only have to worry about 5 patches" you are probably already 0wned. This is just a ridiculous blog post, and the kind of thing we've been reading all week. I meant sure, do a year end post, but make it worth something. There were TONS of patches in 2009, the importance depends on you and your organization.
Other Stories Of Interest
- Dell Mini 9 suffers meltdown, scorches owner's floor - [PaulDotCom] - Would have been much worse if it had been in your lap!
- Bluetooth handset hacks - [PaulDotCom] - Cool Bluetooth handset hacks.