Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions

[David Pick <D.M.Pick () QMW AC UK>]

<snip>

> The network has no remote access points (it does not have a VPN or any
> Dial-Up Servers).  It has only a sever, router, & firewall.
>
> The firewall is doing both NAT and Stateful Packet Inspection (SPI from here
> on in).  There are no rules with the exception of the default (anything
> going out can go out but nothing can come in unless the firewall has cached
> or is aware of the potential incoming connection).  If the connection comes
> back in on a different port then the firewall expects (assumes) it will drop
> the connection.
>
> Is there anyway to circumvent this firewall (or any firewalls that employ
> NAT and SPI as there primary defense mechanisms?)  Is there anyway to get
> direct access to the server?  I have port scanned the router and found
> listening ports and remote administration software but I am curious as to
> how one could circumvent the firewall (if this is done through hijacking the
> router I would be curious about that also).

Of course:
 1) Set up an "attractive" Web site
 2) Insert a java-based applet that contacts your Web server but shows
    nothing in the browser window
 3) Use "human engineering" to get your friend to look at the Web site
 4) The java applet can establish connections *out* to the Web site and
    pass any data in any direction it likes
 5) In particular, bugs in the JVM may allow nefarious code to run
or:
 1) Send a VBS "virus"/worm that establishes an outward connection to
    a server with more data/code/scripts to execute
 2) Your friend opens the message and establishes the outward call...
or:
 1) Use "human engineering" to get your friend to load a "security
    patch" onto his machine which establishes an outward call.
 2) Your friend runs the "patch" and makes the outward call...

But it's still a lot stronger than most people and will keep most
"script kiddies" out.

--
        David Pick