Hijack well-known ports

Archived from groups: comp.security.firewalls (More info?)

I have a LAN with personal firewall installed on all workstations.
If the firewall rules for the worskstation are:
1. Allow all outgoing traffic
2. Allow incoming traffic if the remote port is 445

Scneario:
An intruder hacked workstation and hijacked port 445.

Question:
1. Is the scenario possible? i.e. Is it possible to hijack port 445 or
well-known ports (<1024)?
2. Will intruder allowed to access all workstation?
3. How should I modified the rules to increase security?


Thanks
Chris
9 answers Last reply
More about hijack well known ports
  1. Archived from groups: comp.security.firewalls (More info?)

    Chris wrote:

    > I have a LAN with personal firewall installed on all workstations.
    > If the firewall rules for the worskstation are:
    > 1. Allow all outgoing traffic
    > 2. Allow incoming traffic if the remote port is 445
    >
    > Scneario:
    > An intruder hacked workstation and hijacked port 445.
    >
    > Question:
    > 1. Is the scenario possible? i.e. Is it possible to hijack port 445 or
    > well-known ports (<1024)?
    > 2. Will intruder allowed to access all workstation?
    > 3. How should I modified the rules to increase security?
    >
    >
    > Thanks
    > Chris

    Try here, for a long, but not complete, list of all the
    Windows holes found behind port 445:
    http://isc.incidents.org/port_details.html?port=445

    Different exploits give different capabilities, but standard
    firewall practice places the Windows networking ports (135,
    137, 138, 139, & 445) in the 'NEVER expose these to the Internet
    category'.
  2. Archived from groups: comp.security.firewalls (More info?)

    Chris wrote:

    > I have a LAN with personal firewall installed on all workstations.
    > If the firewall rules for the worskstation are:
    > 1. Allow all outgoing traffic
    > 2. Allow incoming traffic if the remote port is 445
    >
    > Scneario:
    > An intruder hacked workstation and hijacked port 445.
    >
    > Question:
    > 1. Is the scenario possible? i.e. Is it possible to hijack port 445 or
    > well-known ports (<1024)?

    Any port is hackable, but you're not hacking the port. You're hacking the
    server / services behind those ports.

    > 2. Will intruder allowed to access all workstation?

    On a windows network? Yes, I think it would be safe to say that, once
    inside the LAN, with one compromised PC, it wouldn't be hard to compromise
    the rest.

    > 3. How should I modified the rules to increase security?

    Allow netbios (137-139,445) only to and from known good MAC addresses. Mac
    addresses are harder to spoof. Install a domain system with better
    security controls, and/or use IPSEC. In theory you could also install
    custom tokens on all machines so that they know that they are a community,
    but that's more difficult. You need to read up at SANS.org.

    >
    >
    > Thanks
    > Chris

    --
    The price of seeking to force our beliefs on others is that someday
    they might force their beliefs on us.
    -- Mario Cuomo
  3. Archived from groups: comp.security.firewalls (More info?)

    NeoSadist wrote:


    > Allow netbios (137-139,445) only to and from known good MAC addresses. Mac
    > addresses are harder to spoof. Install a domain system with better

    .. . . about 3 lines of shell script in Linux: here's a link:
    http://linuxquestions.org/questions/history/140220

    And, there are better ways to do it, than that. I haven't tested,
    but I'm pretty sure I can swap the MAC a card repots on the fly,
    if I choose to do so.

    NetBios, whether running on UDP or TCP, does NOT belong outside
    a closed and protected trusted network, unless you really want
    to be hacked. So, unless you plan to run a honeypot, keep NetBios
    in a closed network, or inside a fully encrypted tunnel.

    As a rule, neither local networking in Linux (NFS) nor in Windows
    (NetBIOS, SMB) are secure enough to put on the Internet, EVER!
  4. Archived from groups: comp.security.firewalls (More info?)

    "Chris" <mclo@asia.com> wrote in message
    news:2d44b924.0404020013.7d0bd030@posting.google.com...
    > I have a LAN with personal firewall installed on all workstations.
    > If the firewall rules for the worskstation are:
    > 1. Allow all outgoing traffic
    > 2. Allow incoming traffic if the remote port is 445
    >
    > Scneario:
    > An intruder hacked workstation and hijacked port 445.
    >
    > Question:
    > 1. Is the scenario possible? i.e. Is it possible to hijack port 445 or
    > well-known ports (<1024)?
    > 2. Will intruder allowed to access all workstation?
    > 3. How should I modified the rules to increase security?

    The Windows Networking ports are 137-138 TCP and 139/(445 NT only) UDP. You
    should set rules to allow inbound and outbound traffic for all LAN IP(s) on
    the ports. If this is a work place LAN and the machines are behind a FW
    appliance solution, then why are you even bothering with this?


    Secondly, if these are Win 2K or better machines that are not mobile
    machines such as laptops that can be taken home, then why bother with a
    personal FW solution period on the NT based O/S, since a average user of the
    workstation wouldn't know what to do if the personal FW started asking
    questions on application control due to some new program element being
    introduced to the machine?


    You can implement an IPsec solution on the LAN machines on the NT based O/S
    that will work just as well as a third party personal host based FW solution
    and one doesn't have to keep upgrading IPsec on the machine like is done
    with a personal host based FW solution with new releases.


    It's a simple task with the base template of AnalogX SecPol rules that can
    be implemented on the NT based O/S for the LAN machines.


    http://www.petri.co.il/block_ping_traffic_with_ipsec.htm

    http://www.analogx.com/contents/articles/ipsec.htm


    On the XP based machines, one can just implement ICF and possibly IPsec and
    forget about some complicated third party solution.


    Duane :)
  5. Archived from groups: comp.security.firewalls (More info?)

    > Allow netbios (137-139,445) only to and from known good MAC addresses.
    Mac
    > addresses are harder to spoof. Install a domain system with better
    > security controls, and/or use IPSEC. In theory you could also install
    > custom tokens on all machines so that they know that they are a community,
    > but that's more difficult. You need to read up at SANS.org.
    >

    If these machines are on a LAN behind a FW or router appliance, then what's
    the point of implementing any solution on the workstations? If the machines
    with a host based FW or IPSEC solution on them must have rules implemented
    to allow traffic on the Windows Networking Ports for the machine, then the
    machine can still be attacked by another machine on the LAN whether or not a
    solution has been implemented on the machine. Or am I missing something
    here?

    It would mean something if the machine had BlackIce or Sygate implemented
    with the IDS being able to detect a worm coming in the traffic and close the
    port, although neither one of the solutions are strictly to control
    malware.

    Other than that, I don't see the point of implementing a personal host based
    FW solution on machines on a closed LAN that must share resources, unless
    the machine is a laptop and can be used outside of the closed network.

    Duane :)
  6. Archived from groups: comp.security.firewalls (More info?)

    "Bluto" <arf-arf@doubleclick.net> wrote in message
    news:hqqdnbWRzdXK3_DdRVn-jw@comcast.com...
    > Chris wrote:
    >
    > > I have a LAN with personal firewall installed on all workstations.
    > > If the firewall rules for the worskstation are:
    > > 1. Allow all outgoing traffic
    > > 2. Allow incoming traffic if the remote port is 445
    > >
    > > Scneario:
    > > An intruder hacked workstation and hijacked port 445.
    > >
    > > Question:
    > > 1. Is the scenario possible? i.e. Is it possible to hijack port 445 or
    > > well-known ports (<1024)?
    > > 2. Will intruder allowed to access all workstation?
    > > 3. How should I modified the rules to increase security?
    > >
    > >
    > > Thanks
    > > Chris
    >
    > Try here, for a long, but not complete, list of all the
    > Windows holes found behind port 445:
    > http://isc.incidents.org/port_details.html?port=445
    >
    > Different exploits give different capabilities, but standard
    > firewall practice places the Windows networking ports (135,
    > 137, 138, 139, & 445) in the 'NEVER expose these to the Internet
    > category'.

    Good advice Bluto, and excellent link. Thanks
  7. Archived from groups: comp.security.firewalls (More info?)

    > All I can say is that I hope you aren't involved with network
    > security on behalf of any company I do business with! A "secure
    > company LAN" is only as secure as the weakest link, anywhere on
    > the network.
    >
    > All it would take, to totally compromise such a network, is ONE
    > road warrior with a laptop that's allowed back on the network,
    > without a total scan for viruses AND trojans AND unknown processes.
    >

    I am not going to get involved with this, that, and the other with you on
    this. It's not my job to provide security solutions for the company. That's
    someone else's responsibility to be held accountable for whatever issues the
    company may have concerning security of the company LAN.

    There has been no companies that I have worked for as an employee or
    consulted with that installed personal FW(s) on desktop machines in a secure
    LAN situation. And I have been in a number of large companies in the last
    few years.

    As I explained earlier, they do have host based FW(s) installed on tele
    commuter workstations and for those who are on the road with their laptops.
    The company also provides a router solution if requested, if it can be
    justified. All of the machines have an AV solution installed.

    Is anyone going to show up at someone's desk requesting that they do a scan
    of someone machine before they connect to the LAN again with the 100(s) of
    employees that have this ability, forget about it.

    Most companies are not going to run around installing PFW solutions on
    desktop machines in a secure LAN situation. It may not be what is the
    prudent choice, but that is what is happening in most companies, like it or
    not.

    If you have a problem with that, then take it up with those who may be
    receptive to your view point.:)

    I am not one of them. :)

    Duane :)
  8. Archived from groups: comp.security.firewalls (More info?)

    And we have old Taco Bell *Milk Toast Mikey* showing up on the scene like
    the little *hacker* bug that he is all about. I knew the little *clown*
    was lurking somewhere just waiting for the chance to spit his little $.02
    worth of garbage.


    The little boy *clown* doesn't know how to disappear. Of course as you can
    tell, we have been at it in the past; otherwise he would not have raised his
    ugly little head.


    And of course little MTM identifies with you, because he is still in grade
    school working at Taco Bell with his Lemonade and Web Interfacing Key Chain
    Stand in front of Radio Shack but he thinks he knows something. <g>


    I better leave it alone. I don't want that little nut to start going off .
    :)


    Oh, I forgot he does Wendy's on the weekend -- making some *real* money. :)


    Duane :)
  9. Archived from groups: comp.security.firewalls (More info?)

    Wes Groleau wrote:

    > A VERY large multinational corporation that I worked for
    >
    > 1. Installed Norton Anti-Virus on all company-owned Windows
    > and Mac computers.
    > 2. Set it for a daily and "on-the-fly" scans and weekly updates.
    > 3. Disabled user ability to change settings.
    > 4. Would not allow any off-site connection to the network
    > unless:
    > - It was done through VPN with other internet
    > access disabled (via company-provided software)
    > - User signed statement that they had installed
    > the company-provided Norton Anti-Virus on the
    > machine.

    Of course, the problem recently has been that some of the
    major viruses of the last 6 months have become widespread
    BEFORE an AV signature that recognized them was available.

    The time lag has apparently often been only a matter of
    hours, but it was still enough to allow some major players
    to become infected, which meant, in turn, trojans INSIDE
    the 'protected' network. In some cases, firewalls prevented
    the outbound signals, but not in all cases.

    Needless to say, Fortune 500 companies whose networks were
    partially penetrated this way haven't reported it on the
    6-oclock news.

    .. . .

    It's amusing to note that, on another security related
    newsgroup I follow, there's been a discussion ongoing
    simultaneously with this one about how to hide all evidence
    of dis-allowowed Internet access on a company laptop.
Ask a new question

Read More

Firewalls Hijack Security Workstations Networking