Hijack well-known ports

[Chris]

Archived from groups: comp.security.firewalls (More info?)

I have a LAN with personal firewall installed on all workstations.
If the firewall rules for the worskstation are:
1. Allow all outgoing traffic
2. Allow incoming traffic if the remote port is 445

Scneario:
An intruder hacked workstation and hijacked port 445.

Question:
1. Is the scenario possible? i.e. Is it possible to hijack port 445 or
well-known ports (<1024)?
2. Will intruder allowed to access all workstation?
3. How should I modified the rules to increase security?


Thanks
Chris

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Chris wrote:

> I have a LAN with personal firewall installed on all workstations.
> If the firewall rules for the worskstation are:
> 1. Allow all outgoing traffic
> 2. Allow incoming traffic if the remote port is 445
>
> Scneario:
> An intruder hacked workstation and hijacked port 445.
>
> Question:
> 1. Is the scenario possible? i.e. Is it possible to hijack port 445 or
> well-known ports (<1024)?
> 2. Will intruder allowed to access all workstation?
> 3. How should I modified the rules to increase security?
>
>
> Thanks
> Chris

Try here, for a long, but not complete, list of all the
Windows holes found behind port 445:
http://isc.incidents.org/port_details.html?port=445

Different exploits give different capabilities, but standard
firewall practice places the Windows networking ports (135,
137, 138, 139, & 445) in the 'NEVER expose these to the Internet
category'.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Chris wrote:

> I have a LAN with personal firewall installed on all workstations.
> If the firewall rules for the worskstation are:
> 1. Allow all outgoing traffic
> 2. Allow incoming traffic if the remote port is 445
>
> Scneario:
> An intruder hacked workstation and hijacked port 445.
>
> Question:
> 1. Is the scenario possible? i.e. Is it possible to hijack port 445 or
> well-known ports (<1024)?

Any port is hackable, but you're not hacking the port. You're hacking the
server / services behind those ports.

> 2. Will intruder allowed to access all workstation?

On a windows network? Yes, I think it would be safe to say that, once
inside the LAN, with one compromised PC, it wouldn't be hard to compromise
the rest.

> 3. How should I modified the rules to increase security?

Allow netbios (137-139,445) only to and from known good MAC addresses. Mac
addresses are harder to spoof. Install a domain system with better
security controls, and/or use IPSEC. In theory you could also install
custom tokens on all machines so that they know that they are a community,
but that's more difficult. You need to read up at SANS.org.

>
>
> Thanks
> Chris

--
The price of seeking to force our beliefs on others is that someday
they might force their beliefs on us.
-- Mario Cuomo

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

NeoSadist wrote:


> Allow netbios (137-139,445) only to and from known good MAC addresses. Mac
> addresses are harder to spoof. Install a domain system with better

.. . . about 3 lines of shell script in Linux: here's a link:
http://linuxquestions.org/questions/history/140220

And, there are better ways to do it, than that. I haven't tested,
but I'm pretty sure I can swap the MAC a card repots on the fly,
if I choose to do so.

NetBios, whether running on UDP or TCP, does NOT belong outside
a closed and protected trusted network, unless you really want
to be hacked. So, unless you plan to run a honeypot, keep NetBios
in a closed network, or inside a fully encrypted tunnel.

As a rule, neither local networking in Linux (NFS) nor in Windows
(NetBIOS, SMB) are secure enough to put on the Internet, EVER!

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Chris" <mclo@asia.com> wrote in message
news:2d44b924.0404020013.7d0bd030@posting.google.com...
> I have a LAN with personal firewall installed on all workstations.
> If the firewall rules for the worskstation are:
> 1. Allow all outgoing traffic
> 2. Allow incoming traffic if the remote port is 445
>
> Scneario:
> An intruder hacked workstation and hijacked port 445.
>
> Question:
> 1. Is the scenario possible? i.e. Is it possible to hijack port 445 or
> well-known ports (<1024)?
> 2. Will intruder allowed to access all workstation?
> 3. How should I modified the rules to increase security?

The Windows Networking ports are 137-138 TCP and 139/(445 NT only) UDP. You
should set rules to allow inbound and outbound traffic for all LAN IP(s) on
the ports. If this is a work place LAN and the machines are behind a FW
appliance solution, then why are you even bothering with this?



Secondly, if these are Win 2K or better machines that are not mobile
machines such as laptops that can be taken home, then why bother with a
personal FW solution period on the NT based O/S, since a average user of the
workstation wouldn't know what to do if the personal FW started asking
questions on application control due to some new program element being
introduced to the machine?



You can implement an IPsec solution on the LAN machines on the NT based O/S
that will work just as well as a third party personal host based FW solution
and one doesn't have to keep upgrading IPsec on the machine like is done
with a personal host based FW solution with new releases.



It's a simple task with the base template of AnalogX SecPol rules that can
be implemented on the NT based O/S for the LAN machines.



http://www.petri.co.il/block_ping_traffic_with_ipsec.htm

http://www.analogx.com/contents/articles/ipsec.htm



On the XP based machines, one can just implement ICF and possibly IPsec and
forget about some complicated third party solution.



Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

> Allow netbios (137-139,445) only to and from known good MAC addresses.
Mac
> addresses are harder to spoof. Install a domain system with better
> security controls, and/or use IPSEC. In theory you could also install
> custom tokens on all machines so that they know that they are a community,
> but that's more difficult. You need to read up at SANS.org.
>

If these machines are on a LAN behind a FW or router appliance, then what's
the point of implementing any solution on the workstations? If the machines
with a host based FW or IPSEC solution on them must have rules implemented
to allow traffic on the Windows Networking Ports for the machine, then the
machine can still be attacked by another machine on the LAN whether or not a
solution has been implemented on the machine. Or am I missing something
here?

It would mean something if the machine had BlackIce or Sygate implemented
with the IDS being able to detect a worm coming in the traffic and close the
port, although neither one of the solutions are strictly to control
malware.

Other than that, I don't see the point of implementing a personal host based
FW solution on machines on a closed LAN that must share resources, unless
the machine is a laptop and can be used outside of the closed network.

Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Bluto" <arf-arf@doubleclick.net> wrote in message
news:hqqdnbWRzdXK3_DdRVn-jw@comcast.com...
> Chris wrote:
>
> > I have a LAN with personal firewall installed on all workstations.
> > If the firewall rules for the worskstation are:
> > 1. Allow all outgoing traffic
> > 2. Allow incoming traffic if the remote port is 445
> >
> > Scneario:
> > An intruder hacked workstation and hijacked port 445.
> >
> > Question:
> > 1. Is the scenario possible? i.e. Is it possible to hijack port 445 or
> > well-known ports (<1024)?
> > 2. Will intruder allowed to access all workstation?
> > 3. How should I modified the rules to increase security?
> >
> >
> > Thanks
> > Chris
>
> Try here, for a long, but not complete, list of all the
> Windows holes found behind port 445:
> http://isc.incidents.org/port_details.html?port=445
>
> Different exploits give different capabilities, but standard
> firewall practice places the Windows networking ports (135,
> 137, 138, 139, & 445) in the 'NEVER expose these to the Internet
> category'.

Good advice Bluto, and excellent link. Thanks

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

> All I can say is that I hope you aren't involved with network
> security on behalf of any company I do business with! A "secure
> company LAN" is only as secure as the weakest link, anywhere on
> the network.
>
> All it would take, to totally compromise such a network, is ONE
> road warrior with a laptop that's allowed back on the network,
> without a total scan for viruses AND trojans AND unknown processes.
>

I am not going to get involved with this, that, and the other with you on
this. It's not my job to provide security solutions for the company. That's
someone else's responsibility to be held accountable for whatever issues the
company may have concerning security of the company LAN.

There has been no companies that I have worked for as an employee or
consulted with that installed personal FW(s) on desktop machines in a secure
LAN situation. And I have been in a number of large companies in the last
few years.

As I explained earlier, they do have host based FW(s) installed on tele
commuter workstations and for those who are on the road with their laptops.
The company also provides a router solution if requested, if it can be
justified. All of the machines have an AV solution installed.

Is anyone going to show up at someone's desk requesting that they do a scan
of someone machine before they connect to the LAN again with the 100(s) of
employees that have this ability, forget about it.

Most companies are not going to run around installing PFW solutions on
desktop machines in a secure LAN situation. It may not be what is the
prudent choice, but that is what is happening in most companies, like it or
not.

If you have a problem with that, then take it up with those who may be
receptive to your view point.

I am not one of them.

Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

And we have old Taco Bell *Milk Toast Mikey* showing up on the scene like
the little *hacker* bug that he is all about. I knew the little *clown*
was lurking somewhere just waiting for the chance to spit his little $.02
worth of garbage.



The little boy *clown* doesn't know how to disappear. Of course as you can
tell, we have been at it in the past; otherwise he would not have raised his
ugly little head.



And of course little MTM identifies with you, because he is still in grade
school working at Taco Bell with his Lemonade and Web Interfacing Key Chain
Stand in front of Radio Shack but he thinks he knows something. <g>



I better leave it alone. I don't want that little nut to start going off .




Oh, I forgot he does Wendy's on the weekend -- making some *real* money.



Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Wes Groleau wrote:

> A VERY large multinational corporation that I worked for
>
> 1. Installed Norton Anti-Virus on all company-owned Windows
> and Mac computers.
> 2. Set it for a daily and "on-the-fly" scans and weekly updates.
> 3. Disabled user ability to change settings.
> 4. Would not allow any off-site connection to the network
> unless:
> - It was done through VPN with other internet
> access disabled (via company-provided software)
> - User signed statement that they had installed
> the company-provided Norton Anti-Virus on the
> machine.

Of course, the problem recently has been that some of the
major viruses of the last 6 months have become widespread
BEFORE an AV signature that recognized them was available.

The time lag has apparently often been only a matter of
hours, but it was still enough to allow some major players
to become infected, which meant, in turn, trojans INSIDE
the 'protected' network. In some cases, firewalls prevented
the outbound signals, but not in all cases.

Needless to say, Fortune 500 companies whose networks were
partially penetrated this way haven't reported it on the
6-oclock news.

.. . .

It's amusing to note that, on another security related
newsgroup I follow, there's been a discussion ongoing
simultaneously with this one about how to hide all evidence
of dis-allowowed Internet access on a company laptop.