Friday, March 31, 2017

BEFORE BREAKING THE FIREWALL DEFENSE

How to set iptables to drop packets that I'm not listening on?


I've got a Kali Linux box I use for pen testing.
I would like to configure my machine to DROP incoming packets, but only when I'm not listening on them.
e.g. if I run a netcat listener on port 80, I would like connections from the internet to be possible, but as soon as I stop netcat I would like the packets to be dropped rather than rejected.
I know this would be possible by the use of scripts, but is there any support for iptables to do this automatically?
I have had a suggestion to use the NFQUEUE target for all incoming packets, but then I'll have to modify the source of the listening application (if no user-space application is listening on the specified queue, the packets are dropped).
shareimprove this question

3 Answers

If never seen this done without a script, so here is a baseline script for you to accomplish this:
checkht="lsof -c httpd | awk '{print $1}' | uniq | grep h"

if [ -n "$checkht" ]; then

    echo "webserver is running let me shut down uptables rules blocking HTTP"
    iptables -vnL --line-numbers |awk '/tcp dpt:80/{print "iptables -D INPUT "$1}' | sh

else

   iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j DROP

fi
Checks to see if http is running, if it is, it makes sure that IPTABLES has no rule blocking HTTP. If it's not running, it blocks the world from reaching that port. However, because you're not listening on the port, the rule to block makes little sense. There is nothing for anyone to attack since nothing is running.
shareimprove this answer
   
Thanks. It is possible to detect whether there is anything listening because of the RST reply - that's why it makes sense to drop it. – SilverlightFox May 19 '14 at 14:17
   
Understood, I usually have a drop all rule as my last rule, so no resets are sent. – munkeyoto May 19 '14 at 14:37
   
Do you have to remove that rule if you start services listening? – SilverlightFox May 19 '14 at 14:39
   
You can run it via cron to check like N amount of minutes, or... You can likely make your own apachectl like start file to run it in the background. Depends on your machine. You can run it from cron to check like every minute or so, or like I said, edit apachectl, so when you shut off HTTP, it does its checks and balances – munkeyoto May 19 '14 at 15:01
The short answer is: no by design, and here's an example of what would need to happen if it was possible:
  1. netcat opens socket on port X by calling the relative syscall (such as listen)
  2. kernel traps syscall, executes network code (in this case, opens port)
  3. kernel talks to the relative iptables module (assuming it's available and loaded) and opens a hole in the firewall to let traffic go to the newly opened port.
This would open up a potential security hole: how would the kernel know that the program is legitimate, i.e. is not a trojan that wants to open a remote shell? Here are a few answers:
  • Because the program is whitelisted somewhere; but this would shift the security into another set of issues:
    • how do you know that the program hasn't been compromised? You could use something like tripwire, but this opens up another security question: how can you guarantee that the master list is not compromised?
    • how do you deal with updates? E.g. version Z of ssh can punch holes through the firewall; your system self-updates, now the hash of ssh changed, and you are locked out.
  • Because the user launching it belongs to a privileged group: how do you deal with SUID binaries? Take a look at the ping program permissions for example.
Another can of worms^W^W^W set of potential issues would be the interface between iptables (at kernel level) and the syscalls; every minor change in iptables would require a potential rewrite of the code underlying the syscalls, introducing bugs, etc.
In a nutshell, you are describing the problem that application firewalls face (think about Windows or Mac firewalls). It's do-able, but it's not simple.
At a networking level you might want to take a look at UPnP whose function was to allow services to punch holes through a gateway's firewall. With the obvious security consequences.
Or you could use a script instead :)
shareimprove this answer
you could write a simple bash script that parses out netcat output and builds a new iptables ruleset accordingly every time its running.
You probably have to make sure that you allow connections first before you set the drop all rule else you would reset all running connections each time the script runs.
Then you could set a cronjob that will run your script every minute.
As lorenzog pointed out this might not be the most secure setup, on the other hand if you have no iptables running by default then this is probably better than nothing.
Also you could set a range of port as a whitelist and ignore all other ports that netstat spits out...
As this is about your Kali box (VM?) it should only be running for specific tasks anyways. Kali is not meant to be used as a default client/server operating system for daily tasks. So I would let you get a away with this kind of dynamic firewall setup ;)
shareimprove this answer

https://security.stackexchange.com/questions/58268/how-to-set-iptables-to-drop-packets-that-im-not-listening-on

SOME VERY SPECIAL STUFF TO BREAK FIREWALL


Move an iptables firewall rule up the chain before a reject rule
Thursday - Feb 4th 2016 - by  - (0 comments)
Tried to add a CentOS 6.5 server from an old server environment to Icinga 2.
However the connecton to NRPE didn't work, although I added an iptables rule to allow tcp/5666 on the CentOS machine:
root@centos ~]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
On the Icinga server I tried a quick verification with telnet and it failed:
root@icinga:~# telnet centosip 5666
Trying centosip...
telnet: Unable to connect to remote host: No route to host
First I suspected routing or VPN issues (the mentioned old server environment was added into our enterprise LAN by using a VPN tunnel), but tcpdump on the centos machine showed me an incoming connection:
[root@centos ~]# tcpdump port 5666
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:49:01.018023 IP icingaip.58437 > centos.5666: Flags [S], seq 1750895406, win 29200, options [mss 1368,sackOK,TS val 1991589648 ecr 0,nop,wscale 7], length 0
A quick look at the iptables revealed something interesting:
[root@centos ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source       destination        
  21G 4775G ACCEPT     all  --  *      *       0.0.0.0/0    0.0.0.0/0      state RELATED,ESTABLISHED
21667 1820K ACCEPT     icmp --  *      *       0.0.0.0/0    0.0.0.0/0     
1235K   74M ACCEPT     all  --  lo     *       0.0.0.0/0    0.0.0.0/0     
 3297  198K ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      state NEW tcp dpt:22
 631M   38G ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:9200
 265K   16M ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:9300
   58  3480 ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:80
  18M 1852M REJECT     all  --  *      *       0.0.0.0/0    0.0.0.0/0      reject-with icmp-host-prohibited
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      state NEW tcp dpt:5666

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source       destination        
    0     0 REJECT     all  --  *      *       0.0.0.0/0    0.0.0.0/0      reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 2131 packets, 593K bytes)
 pkts bytes target     prot opt in     out     source          destination
The INPUT policy was set to ACCPT, however a "REJECT" rule was added. It the machine would have been set up by me, I'd rather use a policy REJECT and define accept rules... but that train has departed and the machine was set up this way years ago.
So the problem now is that the newly added rule for port tcp/5666 was added after the general reject line.
Unfortunately a rule cannot be just "moved up" in the list, but it can be recreated with a fixed position.
By using the --line-n parameter, the same rules can be looked at with the rule numbers:
[root@centos ~]# iptables -nvL --line-n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out  source      destination        
1      21G 4775G ACCEPT     all  --  *      *    0.0.0.0/0   0.0.0.0/0      state RELATED,ESTABLISHED
2    21678 1821K ACCEPT     icmp --  *      *    0.0.0.0/0   0.0.0.0/0          
3    1235K   74M ACCEPT     all  --  lo     *    0.0.0.0/0   0.0.0.0/0          
4     3299  198K ACCEPT     tcp  --  *      *    0.0.0.0/0   0.0.0.0/0      state NEW tcp dpt:22
5     631M   38G ACCEPT     tcp  --  *      *    0.0.0.0/0   0.0.0.0/0      tcp dpt:9200
6     265K   16M ACCEPT     tcp  --  *      *    0.0.0.0/0   0.0.0.0/0      tcp dpt:9300
7       58  3480 ACCEPT     tcp  --  *      *    0.0.0.0/0   0.0.0.0/0      tcp dpt:80
8      18M 1852M REJECT     all  --  *      *    0.0.0.0/0   0.0.0.0/0      reject-with icmp-host-prohibited
9        0     0 ACCEPT     tcp  --  *      *    0.0.0.0/0   0.0.0.0/0      state NEW tcp dpt:5666

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out  source      destination        
1        0     0 REJECT     all  --  *      *    0.0.0.0/0   0.0.0.0/0      reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 124K packets, 32M bytes)
num   pkts bytes target     prot opt in     out  source      destination     
 So if I delete the rule and insert it before the reject line, it should be fine.
[root@centos ~]# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
[root@centos ~]# iptables -I INPUT 7 -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
[root@centos ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source       destination         
  21G 4775G ACCEPT     all  --  *      *       0.0.0.0/0    0.0.0.0/0      state RELATED,ESTABLISHED
21693 1822K ACCEPT     icmp --  *      *       0.0.0.0/0    0.0.0.0/0           
1235K   74M ACCEPT     all  --  lo     *       0.0.0.0/0    0.0.0.0/0         
 3301  198K ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      state NEW tcp dpt:22
 631M   38G ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:9200
 265K   16M ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:9300
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      state NEW tcp dpt:5666
   58  3480 ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:80
  18M 1852M REJECT     all  --  *      *       0.0.0.0/0    0.0.0.0/0      reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source       destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0    0.0.0.0/0       reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 3302 packets, 955K bytes)
 pkts bytes target     prot opt in     out     source       destination         
The rule for tcp 5666 was inserted (-I) at line 7, pushing down the previous line 7 (tcp/80) down. It is now definitely above the reject rule, so will it work?
root@icinga:~# telnet centosip 5666
Trying centosip...
Connected to centosip.
Escape character is '^]'.
^]quit

telnet> quit
Yes, it worked! 

hello! welcome back to war! Title: Downloads Resources over HTTP Recommendation: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time. Source: nodesecurity Severity: high

imageoptim is a Node.js wrapper for some images compression algorithms.
imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.


This plugin gzips your static resources.

It then sets the Transfer-Encoding header on the resources when rendering them.

Builds on the "Resources" framework plugin 

Todos:

* Add "excludes" URIs via Config to prevent certain types and URIs being handled in this way - 
  e.g. by default should exclude all image and pre-zipped formats but also allow excluding whole URIs and types.
  Allow closure to determine it at runtime. e.g.:

  zipped.resources.excludes = [
     '*.gif',
     '*.jpg',
     '*.jpeg',
     '*.png',
   '*.pdf',
   '*.zip',
   '*.gz',
   '*.dmg',
   { uri ->
      return !uri.startsWith('user-content')
   }
  ]

* Add a "minimum size" threshold under which it will not bother gzipping.
  Default to sane value circa 300bytes. Files smaller than this come out
  bigger as zips.

Satellite hacking Intel 1 (BACK@WAR CyberArmy friends let´s start Satellite GPS navigation hack IT WILL HV A PRICE)

  https://stackoverflow.com/questions/63010812/how-to-access-http-port-5001-from-public-internet