[help]Attack vectors for Attacking a remotely closed port? - Network Security

mandi

I am bit familiar with ports,port scanning and protocols,
when i started to think deeply about ports,this one comes to my mind
most guys think "hey we got all our ports other than port 80 is closed and we are secured",but i didn't feeled that way,so started to made some search and some sources said that there are some attack vectors available for opening or messing with a remotely closed port,I just wondered,i do want to know more about the working and some theoretical part of this kind of attack vector,if you guys know some method names,articles or links related to this,then feel free to post here....

hope i will find some gelp...

x3n0n

isn't there a method called packet fragmentation?
I have been looking for papers on this method a long time, but no success.
In this method you just connect to the open port (eg. 80) and by messing with the data in the packets you send to port 80, you can get access to another port (that is closed/filtered) like port 23 or 21.
If you want, I could dig up some more info about this ;) (but after the 19th, because I have midterms right now) :p

mandi


isn't there a method called packet fragmentation?
I have been looking for papers on this method a long time, but no success&#46;
In this method you just connect to the open port (eg&#46; 80) and by messing with the data in the packets you send to port 80, you can get access to another port (that is closed/filtered) like port 23 or 21&#46;
If you want, I could dig up some more info about this ;) (but after the 19th, because I have midterms right now) &#58;p

As far as to my knowledge fragmentation method was kind of a method used to bypass firewalls and IPS on the target network,and yes my pleasure it would be good if you digg and give me some information related to this topic,hope you would help me :)

x3n0n

Yeah, it's for bypassing firewall. Isn't that what you mean?

mandi


Yeah, it's for bypassing firewall&#46; Isn't that what you mean?

I am well Aware that fragmentation can be used to bypass the restrictions on the
IPS AND firewalls,but i am not looking for that,i am much interested in achieving
this


In this method you just connect to the open port (eg&#46; 80) and by messing with the data in the packets you send to port 80, you can get access to another port (that is closed/filtered) like port 23 or 21&#46;
If you want, I could dig up some more info about this ;) (but after the 19th, because I have midterms right now) &#58;p

Hope you got my question,and as i said i would be glad if i get some links related to this method...

hope i will get some help from you :)

x3n0n

said:
Yeah, it's for bypassing firewall&#46; Isn't that what you mean? 
I am well Aware that fragmentation can be used to bypass the restrictions on the
IPS AND firewalls,but i am not looking for that,i am much interested in achieving
this
In this method you just connect to the open port (eg&#46; 80) and by messing with the data in the packets you send to port 80, you can get access to another port (that is closed/filtered) like port 23 or 21&#46;
If you want, I could dig up some more info about this ;) (but after the 19th, because I have midterms right now) &#58;p 
Hope you got my question,and as i said i would be glad if i get some links related to this method...

hope i will get some help from you :)

Same thing? But anyway, I don't have much time now, but here is something that can get you started:
IDS and Firewall evasion
I'll keep looking for some more info on this. (Btw, if anybody has good books/papers/tuts on how to manipulate (TCP/IP) packets with perl, please let me know) ;)

Sh3llc0d3

said:

(Btw, if anybody has good books/papers/tuts on how to manipulate (TCP/IP) packets with perl, please let me know) ;)

A fellow perl coder? What kinda manipulation did you have in mind?

NET::RawIP Might be worth a look.

x3n0n

said:

A fellow perl coder?

Not yet, but when my exams are finished I want to start programming with perl ;) So the basics won't take long to learn (cuz every programming is alike), but I wanna get more info on socket programming. And how to alter data in packets.

but anyway, it's good to have someone I know that can help me with that once I get to that point :)

McKittrick

maybe i am not reading this right, but how does one "open" a closed port? to open a port would mean to initiate a running SERVICE. i don't believe one can just force a service to magically start running if it is not there to create the socket and port (unless there is a payload sent to create it--dll injection/etc). even with fragmentation, i don't believe this is even close to possible. i think that the fragmentation method would simply be used to bypass ACL policies on the firewall through source/destination misdirection with the packets being marshalled at the other end. i still don't see how this "opens" a port that doesn't exist

Sh3llc0d3

I haven't read the entire thread, however I as McKittrick said don't see how a port can be opened without something starting/running/opening the port.

If someone has NO other port apart from 80 open then what do you do... try to exploit what's running on port 80. Website? attack the site and upload a script of program that opens a socket to connect to. Easier said then done, you need to A) know web app security and how to script/program in a language well enough to make a socket to connect to. An example of such a program would be Exploiter that I made in Perl.

Bypassing a firewalls rules on the port's available means you've bypassed the security, pretty useless if there's nothing to connect to or exploit. Unless I've missed something?

mandi


maybe i am not reading this right, but how does one \"open\" a closed port? to open a port would mean to initiate a running SERVICE&#46; i don't believe one can just force a service to magically start running if it is not there to create the socket and port (unless there is a payload sent to create it--dll injection/etc)&#46; even with fragmentation, i don't believe this is even close to possible&#46; i think that the fragmentation method would simply be used to bypass ACL policies on the firewall through source/destination misdirection with the packets being marshalled at the other end&#46; i still don't see how this \"opens\" a port that doesn't exist

yes i am forgot to include this,most networks will have filtered their ports mostly on the firewall/router side,not on the server it-self,So Assume some thing like this,a web-server is running on a organization with 2 services,
ssh and http,on the fire-walls they set to drop all the in-bound connections from INTERNET to port 22 aka ssh, or the port looks filtered/closed to the out-side world,and still the service is available or visible to the INTRANET users or administrators of the organization,in that case can't we do any thing to capture the access of ssh with the connection that we have to the web-server via port 80?

Does this make some sense now?

Looking for some more feed-backs....

McKittrick

no

and what if the port in question only responds to a query from a same source/destination? (like in RIP/IPSEC)

x3n0n

My bad, I meant that packet fragmentation is used to connect to filtered ports if there is an open port available ;)
Just a quick question, what if all the ports are filtered?
How can you bypass the firewall?

McKittrick

most, if not all firewalls in use today easily block packet fragging

Howdy, Stranger!

Top Posters

Who's Online (0)