dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
79369
share rss forum feed


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to qrkx

Re: El Cheapo Router Challenge

The ip address is still 70.72.32.209

This router is the chattiest little bugger I think I've ever seen. The PnP traffic and such on the LAN borders on stupid.

But I think its getting close to having some fun time, so stayed tuned for hacking 101. Any who is still blasting away at the 604 and wants me to leave it up, let me know.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to Link Logger

OK after three cheap home routers no one has been able to get a file onto or off of the victim PC, qrkx was able to sneak some packets by the NAT Device, but marginal consequences if any.

I'm going to build a XP SP2 (no patches beyond SP2) and we are going to see just how well XP's built in firewall does as it also takes a ton of flak, but before I do that I would like people to know just how vulnerable the victim PC is and so I'm going to stick it out on the internet and the challenge will be to own the system before one of the locally infected bot systems does (like most ISP Shaw has no shortage of infected and scanning systems). Now please do not blow the system up (as its beside my desk), don't whack anyone else who is 'visiting' and don't put up anything other then text files claiming you were here (ie no exe's etc and no PORN). I will be nuking and repaving the whole system afterward as I prepare the XP SP2 system. I'll leave the system up for a while so people can visit it and do so in different ways.

Think of the system as a large wall which is available for your txt graffiti and treat it responsibly but also remember it is likely to be owned by some bot(s) etc as time goes.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to Link Logger

The IP Address is 70.72.32.238

The system will be logged so we can see who is first BBR folk or local worm. Currently the system is behind a Linksys WRT54GS but will be pushed onto the internet via being placed in the Linksys's DMZ, which will leave it completely out in the open. This should also serve as a warning about using port forwarding or DMZ as the router can't protect you there.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 edit
reply to Link Logger

System was owned within 7 minutes by a local bot.

Edit -> I'll leave the system up unless it goes into a major scanning and infection mode for awhile and we will do the XP SP2 thing tomorrow morning if that is OK with everyone as it is Friday night.

Blake



Michael
Premium
join:2001-05-06
Canada

1 edit

Just to clarify Blake, the system that was owned so quickly is XP SP2 (no further updates) placed in the DMZ with the windows firewall disabled?

Edit: I just re-read a prior post of yours and see that for this test the windows firewall was disabled.



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to Link Logger

First to leave a txt file in the shared directory would be ??

Blake



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to Michael

This system is a totally unpatched XP system, no service packs, no patches, as the NAT Device was the only thing protecting it from a quick death as what happen when I pushed it out into the so called DMZ.

I'll put up the XP SP2 system tomorrow.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



Michael
Premium
join:2001-05-06
Canada

Thanks for the clarification and for creating this very interesting challenge.
--
dltbw



Victim

@shawcable.net
reply to Link Logger

The winning bot:

the exploit

Nov 04, 2005 16:29:34.315 - (TCP) 70.72.206.128 : 2413 >>> 192.168.1.102 : 135 RPC Scan
Nov 04, 2005 16:29:34.355 - (TCP) 70.72.206.128 : 2415 >>> 192.168.1.102 : 135 RPC Scan
Nov 04, 2005 16:31:13.238 - (TCP) 70.72.206.128 : 1800 >>> 192.168.1.102 : 135 RPC Scan

the call back to get the rest of the worm

Nov 04, 2005 16:32:08.417 - (TCP) 192.168.1.102 : 1152 >>> 70.72.206.128 : 9317

I put the system into the DMZ at about 16:25:10

Blake



Gabriel 22

join:2005-11-04
Canada
reply to Link Logger

Routers don't act like pc users.

Maybe by getting the end user to download a file when it opens a webpage is the only way to affect the pc behind the router.

I say this because this seems to be the goal in this challenge. Then, the challenge is how to get the file on the pc without being noticed.

Am I correct ?
--
Happy Dell PC Owner.



GeekNJ
Premium
join:2000-09-23
Waldwick, NJ

1 recommendation

No... the goal is to get past the NAT router. It has nothing to do with requiring a user to take an action - we all know users are stupid. We think NAT routers are smarter.



BeesTea
Internet Janitor
Premium,VIP
join:2003-03-08
00000
reply to jvmorris

Re: NAT Challenge

said by jvmorris:

The 7004ABR is not just 'sold as' a firewall, it actually 'has' some rudimentary firewalling functionality above and beyond its basic NAT functionality.
Sure they are. Maybe the person or site who sold you yours didn't sell it to you for use as a firewall, but the SMC resellers I know sell them all the time as firewalls. Their glossy pubs highlight the feature in detail as a selling point as well.
--
Captain of the ATU Tux Racer Clan.


jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1

I was 'extending' your statement, BT, not contradicting it. As originally phrased, it was subject to misconstrual as being nothing but a marketing ploy, hence my "not just 'sold' (emphasis added); my point was that there's actually a bit of substance in this case.
--
Regards, Joseph V. Morris



BeesTea
Internet Janitor
Premium,VIP
join:2003-03-08
00000

I see. Text will do that sometimes =(

I didn't follow your meaning.
--
Captain of the ATU Tux Racer Clan.



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to Link Logger

Re: El Cheapo Router Challenge

Everyone had a shot at the victim pc that wanted to as its time to start the nuke and pave.

Blake



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 recommendation

reply to Link Logger

Stop your scans/attacks/whatever as I have disconnected the victim and will now start rebuilding it for our XP SP2 firewall test. Hopefully anyone who tried found it rather simple to get onto this system, and hence that the NAT Device was able to defend this open system successfully as no one got onto it before.

I'll get the XP SP2 system up for testing tomorrow around noon local time.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



Victim

@shawcable.net

1 recommendation

reply to Link Logger

I shut down the victim system after noticing that it went into scan/attack mode and having a little bit of time tonight I thought I would just take a quick look and see what bots I could find that had installed themselves on the unprotected system in the short time that I left it up.

C:\WINDOWS\System32\dfrgfat32.exe
dfrgfat32.exe - infected by Backdoor.Win32.SdBot.afu

C:\WINDOWS\System32\msftp.exe
msftp.exe - infected by Backdoor.Win32.SdBot.afu

C:\WINDOWS\System32\i - Trojan-Downloader.BAT.Ftp.ab

C:\WINDOWS\System32\winPE.exe
winPE.exe - infected by Backdoor.Win32.Rbot.va

C:\WINDOWS\System32\USBhardware8.exe
USBhardware8.exe - infected by Backdoor.Win32.Rbot.gen

C:\WINDOWS\System32\service.exe
service.exe - infected by Backdoor.Win32.Rbot.ul

So you can see the system picked up at least 4 bots in about 2 hours. I didn't surf anywhere other then BBR once which is safe, don't have email, chat, P2P, whatever, so the only way these bots got onto the system was via network exploits, which the NAT Devices where previously protecting the system from.

Blake



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

I should also comment that I did block outbound IRC traffic from the system when I pushed it onto the internet otherwise it likely would have been much worse as the botmasters would have installed even more malware then there was.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
kudos:1

But did you see any outbound IRC traffic attempts in the logs from the system during that time interval?
--
Regards, Joseph V. Morris


qrkx
Premium
join:2003-04-26
Montreal, QC
reply to Link Logger

Blake,

One of the tests that you should perform is how each of the boxes you have deals with fragmentation.

NAT does not perform reassembly of IP datagrams but the packet filtering on the box might do some. In both cases interesting opportunities arise.

I remember an old IPFilter problem where incorrect fragmentation parsing lead to exposing filtered ports...

rgds.


B
Premium,MVM
join:2000-10-28


As you've implied a couple of times, local testing would certainly seem to be a faster way to determine some of these details. Blake's the one with all the spare boxes, and you're the one with expertise, so perhaps the box-specific "de-fragmentation" test and others are best handled after the public challenge phases are over?

Thanks again to both of you for a real learning experience.

-- B
--
In a realm outside causality and function



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to Link Logger

I used to love fragmented packets

OK next victim is almost ready. This is a Windows XP Pro, SP2 system, meaning there are not other updates etc applied, just what was on the install CD. It is configured as per default settings, except I turned off automatic updates. It will be running Link Logger as I will move it into the DMZ so it will be open for all manners of attacks, but I'll be able to log those attempts. Also I will be running a sniffer on the LAN to see if anyone gets it. So get ready to rumble gang.

The idea here is to get past XP's native software firewall.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



victim

@shawcable.net
reply to Link Logger

The setup information for our new victim:

IP Address : 70.72.32.238
Default Gateway : 70.72.32.1
DNS 1 : 64.59.135.133
DNS 2 : 64.59.135.135

There is an admin user Bob with a password of Bob and an open file share on the system.

Blake


B
Premium,MVM
join:2000-10-28
reply to Link Logger

Would it be better to expose it directly to the broadband modem? I mean, are we completely sure that forwarding all ports via the pseudo-"DMZ" on the SOHO router is exactly equivalent to a raw connection, from a security perspective?

-- B
--
In a realm outside causality and function


Michel000

join:2005-08-17
Nederland

did anyone test the router's with spoofed tcp packets? i mean link logger connected to a host and someone else sending spoofed tcp packets using the same ports and ip's? The router should check the sequence number, i guess but you never now..



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to Link Logger

Sorry guys I had to pull the cable there for a minute as I thought I saw something interesting but there was so much traffic that I had to pause it somehow, but it was nothing and so game on.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



jig

join:2001-01-05
Hacienda Heights, CA
reply to B

said by B:

Would it be better to expose it directly to the broadband modem? I mean, are we completely sure that forwarding all ports via the pseudo-"DMZ" on the SOHO router is exactly equivalent to a raw connection, from a security perspective?

-- B
i would think this would be better also, but then sniffing is harder? although his device is in the dmz, the router still does an address translation, and there's always the chance for a bug or some other issue.


victim

@shawcable.net
reply to Link Logger

A request if I may for someone at QWest who is scanning but includes x pings per port scan, can you skip the pings? Trust me I'm here, but your pings are not being responded too (also what scanning package are you using?).

I could turn a response for those on at the firewall, but I doubt XP firewall is going to respond to them either (anyone confirm this?).

Blake



Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to Link Logger

I do much prefer be behind an active NAT Device when I'm running a sniffer as there are freaking tons of events in the sniffer so its hard to even find anything as I'm seeing every hit that is being stopped by XP's firewall and when Link Logger is logging at least 10,000 hits per hour you can guess what the sniffer is logging as it gets each packet (minus the syslog events from the router).

My one concern at the moment is if I pull the router out, that I might be a new IP address.

Also does anyone think they have a winner yet (you can IM if you wish).

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Link Logger:

My one concern at the moment is if I pull the router out, that I might be a new IP address.
On the lighter side of it think about the bewilderment & puzzlement of the unfortunate soul who fell into your current IP.