B
Premium,MVM
join:2000-10-28
| reply to qrkx
Re: El Cheapo Router Challenge
As you've implied a couple of times, local testing would certainly seem to be a faster way to determine some of these details. Blake's the one with all the spare boxes, and you're the one with expertise, so perhaps the box-specific "de-fragmentation" test and others are best handled after the public challenge phases are over?
Thanks again to both of you for a real learning experience.
-- B
--
In a realm outside causality and function |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to Link Logger
I used to love fragmented packets 
OK next victim is almost ready. This is a Windows XP Pro, SP2 system, meaning there are not other updates etc applied, just what was on the install CD. It is configured as per default settings, except I turned off automatic updates. It will be running Link Logger as I will move it into the DMZ so it will be open for all manners of attacks, but I'll be able to log those attempts. Also I will be running a sniffer on the LAN to see if anyone gets it. So get ready to rumble gang.
The idea here is to get past XP's native software firewall.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
victim
@shawcable.net
| reply to Link Logger
The setup information for our new victim:
IP Address : 70.72.32.238
Default Gateway : 70.72.32.1
DNS 1 : 64.59.135.133
DNS 2 : 64.59.135.135
There is an admin user Bob with a password of Bob and an open file share on the system.
Blake |
|
B
Premium,MVM
join:2000-10-28
| reply to Link Logger
Would it be better to expose it directly to the broadband modem? I mean, are we completely sure that forwarding all ports via the pseudo-"DMZ" on the SOHO router is exactly equivalent to a raw connection, from a security perspective?
-- B
--
In a realm outside causality and function |
|
Michel000
join:2005-08-17
Nederland | did anyone test the router's with spoofed tcp packets? i mean link logger connected to a host and someone else sending spoofed tcp packets using the same ports and ip's? The router should check the sequence number, i guess but you never now.. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
Sorry guys I had to pull the cable there for a minute as I thought I saw something interesting but there was so much traffic that I had to pause it somehow, but it was nothing and so game on.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
jig
join:2001-01-05
Hacienda Heights, CA
| reply to B
said by B  :Would it be better to expose it directly to the broadband modem? I mean, are we completely sure that forwarding all ports via the pseudo-"DMZ" on the SOHO router is exactly equivalent to a raw connection, from a security perspective? -- B i would think this would be better also, but then sniffing is harder? although his device is in the dmz, the router still does an address translation, and there's always the chance for a bug or some other issue. |
|
victim
@shawcable.net
| reply to Link Logger
A request if I may for someone at QWest who is scanning but includes x pings per port scan, can you skip the pings? Trust me I'm here, but your pings are not being responded too (also what scanning package are you using?).
I could turn a response for those on at the firewall, but I doubt XP firewall is going to respond to them either (anyone confirm this?).
Blake |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
I do much prefer be behind an active NAT Device when I'm running a sniffer as there are freaking tons of events in the sniffer so its hard to even find anything as I'm seeing every hit that is being stopped by XP's firewall and when Link Logger is logging at least 10,000 hits per hour you can guess what the sniffer is logging as it gets each packet (minus the syslog events from the router).
My one concern at the moment is if I pull the router out, that I might be a new IP address.
Also does anyone think they have a winner yet (you can IM if you wish).
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
 ·Clearwire Wireless
| said by Link Logger :My one concern at the moment is if I pull the router out, that I might be a new IP address. On the lighter side of it think about the bewilderment & puzzlement of the unfortunate soul who fell into your current IP.  |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
So far it appears that XP's built in firewall is invincible (that is tough talk gang, smack it down if you can). Where are all the nay-sayers about XP's firewall?
Should I switch to a dialup connection
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
B
Premium,MVM
join:2000-10-28
|
Um, where were the claims about XP firewall being poor?
If anything, the claims I remember were that it was BETTER than other software firewalls because it loaded earlier or at a lower level?
You're not going to extend this to other software firewalls, are ya?
-- B
--
In a realm outside causality and function |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB | I might be able to find some time to load up the latest version of ZoneAlarm or what would be the most interest to everyone.
Blake |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
2 edits | reply to B
Those claims were all over this forum back when people first started discussing the XP firewall as a serious alternative to the likes of the usual ZA, Sygate, Outpost and even El Cheapo routers. 
As for the XP firewall, you'd think Microsoft have stress-tested it for lesser millennia as part of their new interest in security.
--
Want security? Run as limited user. |
|
Bane75
join:2002-09-20
Poway, CA
| reply to qrkx
said by qrkx :Blake, One of the tests that you should perform is how each of the boxes you have deals with fragmentation. NAT does not perform reassembly of IP datagrams but the packet filtering on the box might do some. In both cases interesting opportunities arise. I remember an old IPFilter problem where incorrect fragmentation parsing lead to exposing filtered ports... rgds. Fragmentation checking is one the methods I wanted to try. I was planning on running Fragrouter against the devices. the techniques implemented in Fragrouter are able to by pass many IDS/IPS devices, so it would be interesting to see if it is able to bypass the SOHO routers. Another method I was planning on trying is Firewallking, to see if altering the TTL will allow packets to go through.
I have been working on testing a couple of IPS devices for work, so I haven't had time to try either method. Anyone tried either tool yet? |
|
systems2000
What? You Say It's Fixed. Hah
join:2001-11-29
Cyberspace | reply to Link Logger
Since there is little discussion about LnS around these forums, I'd like to see how it holds up and what your opinion of it's features are.
»www.looknstop.com/En/index2.htm |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
It appears that XP's built in firewall is pretty tight as it has yet to be penetrated, but I see that some people are still testing it so I'll leave it up for a little longer.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB | reply to Link Logger
Shut down the scans and such as I'm going to take the system down. Any other requests before we wrap up this challenge for now?
Blake |
|
TheGiant
Next Year Is Here.
join:2001-03-28
Augusta, GA
1 edit | reply to Link Logger
How about windows ISA server default setup. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
OK so that completes another edition of 'El Cheapo Router Challenge'. What I hope that everyone got from this is next time you hear someone say they can hack your cheap (but from a reputable vendor) router, your response ought to be 'prove it' or perhaps more simply 'bullshit'. If they are convinced that they can hack your router please by all means direct them here and I would be happy to put up a cheapo router for them to demonstrate on.
Even XP's built in firewall is tight (note no one picked up on my dialup connection as there is a bug there which you should be aware of and that Microsoft has patched, so all you folks who use XP's built in firewall for dialup connections, please check your patch level).
As I have always claimed these security devices will not solve world hunger or anything like that, but they will stop unsolicited inbound network attacks, which is one of the most common attack vectors if not the most common in terms of assaults per day on your system. They will not stop solicited attacks such as email viruses or browser drive-bys, but they are likely the easiest security devices you can install and require the least amount of upkeep (if any). To stop solicited attacks you need to have a current Anti-Virus and keep your system fully patched and of course practice safe hex on the internet.
The internet can be a safe place with at most only a small investment in time and money towards:
- firewall
- current Anti Virus
- staying current with patches
Things like Anti Spyware while optional are a good idea as well.
I'd like to thank everyone for participating and particularly qrkx who demonstrated some of the very real limits in protocol security.
Remember the router challenge is always open if you or someone else thinks they have an exploit I'm always willing to help them demonstrate it.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
