Through the different structure of the firewall to the back door of the place-vulnerability warning-the black bar safety net

ID MYHACK58:62200613301
Type myhack58
Reporter 佚名
Modified 2006-12-16T00:00:00


This article describes the different configuration of the firewall is placed back door. Anyway, this article can tell you in other environments, the hackers is how to hide them into a system.

Hackers always want to retain into their already compromised capacity of the system, even if the target host update the firewall or repair a known weakness. To achieve this, the attacker must install a backdoor, but it certainly can work and is not easy to be found. The back door The type of you want to view the target host's firewall type.

As an organ and proof-of-concept, a nice Backdoor for any invasion methods are effective.

Firewall configuration:

Here will be mentioned two basic firewall configuration and each has an enhanced version.

Packet filtering:

This is based on the host or router, which is in accordance with the allow/deny rules in a packet through the correct interface is checked before each packet. There is a very simple one it can only filter the source host, destination host and destination port, there is a can also be decided based on interface, source port, time, and simple tcp/ip flags. This can be a simple router, any of the CISCO type, or a turn on the firewall feature of the LINUX host.

The official the filters, Stateful Filters: a

This is the packet filter the enhanced version. It is still in accordance with the rules of the packet subjected to the same checks and only allow the packet routing, but it also records information such as IP sequence number such information. Application protocols allow spoofing such as the internal network is specified in a specific FTP session, the ftp-data channel to open the port. These filters can more or less make UDP packet DNS, RPC security through the firewall. This is because UDP is not connection-oriented Protocol. And the RPC service is even more so this can be a large IP packet filter of OpenBSD hosts, a CISCO PIX, Bastion host, or is the famous Checkpoint FW-1 is a firewall.

Proxies/circuit level gateways:

A proxy firewall host can be any no routing functions, but a proxy function in the server. The proxy server can be used to proxy the WWW service request, a send a mail relay or just a SOCKD it.

Application gateway:

This is a proxy server enhanced version. Like a proxy server, a proxy the role of the program is after installation, each application will be acting way through the firewall. Anyway, the application gateway is very useful and check every request and response, such as an FTP session can be one-way transmission of data but not two-way transmission of data, and after downloading the data there is no Virus, the response when there is no buffer overflow occurs, and so on. Some would say that SQUID is an application gateway, because it does many security checks and it makes you filter everything, but it is not as in the secure environment of the device written, it also has many bugs. For this, a good freeware package is the TIS firewall Toolkit.

Provider on the market selling the firewall, many of which are of a composite type, this means that they have more than a single type multi-functional; for example the IBM firewall is a simple with a SOCKS packet filtering, and some proxy functionality of the firewall. I don't want to say that a firewall is the best, because this article is not an article on how to buy the firewall of the article, but I have to say, so far the application gateway is the most secure, despite the price, the speed, the Additional Protocol, open network policy and other reasons, the stupid dealer, clumsy management departments may not consider them.


In our discussion of the back door of what was before, we will figure out how in the first time to pass through the firewall. Note that through the firewall for which“script-kiddies”note: a real HACKER for those who will only imitate-the low level of young people, a reference to a nickname that is not a very easy thing to do, it must be after careful and thorough plan.

There are 4 possibilities:

Internal people: there are some people in the company's inside you, boy/girlfriend, cohabitant by them to install the back door, this is the most simple method.


Almost all networks offer a variety of services, like mail delivery service, WWW, DNS, these services may be provided by the firewall host itself, or in the DZM host this Regional in the firewall front-end, often not protected by a firewall, the internal hosts. If an attacker can on these services to find vulnerabilities, he has got into the system. You may laugh, if you see there are many the firewall in running a mail relay.

Vulnerable to external services:

Behind a firewall sometimes work on external host. If an attacker can hack these to an external host, he can lead the system to serious damage, for example, if the target host through the X-relay or sshd to use it for an external host will cause X to attack. The attacker can also send camouflage the FTP response that the FTP client program of the buffer overflow, in theWEB serverend replace a GIF image to make netscape crash and execute a command I've never checked whether it really works, netscape, whether the crash, YEAH, but I don't know it is not an exploitable overflow) on.

There are many possibilities, but in need of some company information. Anyway, usually a company inside theWEB serveris a good place to start. Some firewall is set to allow from some on the machine with a TELNET connection, so anyone can sniff and get it. For us this is in particular the fact that, where universities and Industry/military work together.

Intercepted connections:

Many companies think they should in some secure authentication on the basis of such as SecureID (?) Allow TELNET to enter, they are safe.

Can anyone in the certification after the end of the interception of these security certification and into. Other intercepts the connection method is to modify the Protocol when enabled the response is used to generate an overflow(X)。

The back door: the

Many things can be used a Trojan horse to. It can be a GZIP file which generates a buffer overflow you need an old version of GZIP in order to install a TAR file tampering with ~/. LOGOUT to perform some command, or modify an executable, or source code that the attacker in some way to enter. Let someone run these, you can use mail spoofing, or the internal server placed on the“originals”, the external staff to access the internal server and regularly updates their software, you can check the FTP XFER files and WWW logs to know which is which.

Place the back door

A smart attacker does not try in the firewall segment of the machine is placed on the back door, because the system typically monitors and regularly checks these machines. Precisely what is inside the machine are usually not protected and not so many administrators and security checks.

I will now talk about some of the can be applied of the back door idea. Note that programs that the backdoor will run on a standard filter of course and a standard packet filtering to work simultaneously, and the proxy host. The application gateway Backdoor will work in any firewall configuration work. Some of them are“active”and some are“passive”. Active backdoors can be an attacker in any he wanted to use when be used, a“passive back door”at the appropriate time/event is triggered, so the attacker had to wait the appropriate time or event to occur.

Packet filtering:

It's hard to find a backdoor which gets through this one but does not work for any other.

In my mind only:

A ack-telnet. In addition to it does not use the standard TCP handshake work and only use the TCP ACK header, it works just like a standard telnet/telnetd in. Because they look like a has been established and allows the connection, so that you can easily write the Coder's Spoofit project of the spoofit. h is a header file used to write the SPOOF.

B Phrack magazine 4 9/5, Phase 1 of the Loki(translator's note: P49-0 6; The P51-0 6, can also be used to establish a icmp echo/reply packets of the channel. But need some code header file?) In order to achieve.

C“daemonshell-udp”is a backdoor SHELL, it is the UDP way. See thc-uht1. tgz)

D last but not least, most“firewall systems”with only one shield router/firewall let any incoming source port from 2 0 to the higher>1 0 2 3 TCP connection through the Allow non-passive-FTP Protocol to work.

In this regard,"netcat-p 2 0 targetport-of-bindshell" is the fastest solution.

Standard filters:

An attacker must use a program initialized from the secure network to his own server connection. This has a number of methods may be used:


Phrack 5 2 period of“tunnel.”

SSH-R is better than is a“legtimitate”(do) The program and it encrypts the data stream to.


Compile netcat and with the time option, perform it and connect the attacker machine( a).

thc-uht1. tgz in the reverse_shell do the same thing.

Proxies/circuit level gateways:

If the firewall can be used on the socks, some people can use all the stateful filter on something and“socksify”them. Want more advanced tools you can look at the application gateway this section.

Application gateway:

Now let us say interesting things.


In the company'sthe WEB serverend is placed a CGI script that allows remote access. This is not necessarily possible, becausethe WEB serverlittle is not monitoring/checking/billing and allows external access. I don't think anyone needs me for example. Through the firewall to place a service/binary program. This is very dangerous because they are on-time billing and is sometimes sniffing. Loading a loadable module into the firewall kernel, it will hide itself and give it the release of the access right. The best proactive back door solution is still very dangerous.


E@mail-with some way to configure the email account/Mailer/head, so that it can unravel the mysteries hidden in the mail command of the X-Headers in strange things if need be put it then back.

WWW-more difficult to do things. The internal machine running the daemon a response from the internet on the HTTP request, but this request is actually a nasty the WWW server in a HTTP response command issued the response.

(A bit awkward: The but the requestsare in real the anwers of commands which were issued by a rogue www server in a http reply. )

Good stuff see below(->Backdoor Example: The Reverse WWW Shell)

DNS-and above thought the same, but the DNS queries and responses. The bad is it can't take too much data.

Backdoor Example: The Reverse WWW Shell

This Backdoor on any of the firewall after all the work, it has so that the security policy allows the user to obtain the information, the interests of the company on the WWW surfing.

To understand better, see the figure below, and see the text of the description before you remember it.


+--------+ +------------+ +-------------+

|internal|--------------------| FIREWALL|--------------|server owned |

| host | internal network+------------+ the internet |by the hacker|

+--------+ +-------------+


In an intranet running on a process, which in every specific time generated in a sub-process. For the firewall to say, the sub-process operation as a user using netscape to surf the web. In fact, this sub-process executes a local SHELL, and by a looks like a legitimate HTTP request for a connection the attacker's WWW server and sends a ready signal. And it looks legitimate from the attacker's WWW server the response is actually the sub-process will be in the local execution of the command. All data streams will be converted into similar Base64 structures, I do not call it“encryption”, I'm not Micro$oft, and in order to prevent the buffer, treat it as a cgi-string of a value.

Connection examples:

Slave GET /cgi-bin/order? M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxedb1he7krj HTTP/1.0

The Master replies with g5mAlfbknz

The internal host(SLAVE) GET's the SHELL's command prompt, the response is from an external attacker server(the MASTER)has been encrypted“ls”command.

Some dark organs:

SLAVE every day at a specific time to try to connect to the MASTER; and

Generates a child process---because if for whatever reason the SHELL hangs, can you in the next day to check and repair it;

If an administrator sees to the attacker's connection and his own connection to the attacker's server, he will see a“brokenthe WEB server”because he is in the CGI request can only see some symbols(Password); and

Support WWW proxy;

Program shield it in the process list name.

First of all,the master and slave programs are a 2 6 0 line of perl files...with this thing: modify the rwwwshell. the pl of the corresponding value in the SLAVE machine to perform " slave", and in the SLAVE to be connected before the MASTER machine on the run"" it.

Why use PERL compiled it?

A fast!

B. portability is good

C I like

If you want a machine to run on, but it did not install PERL, find a similar install PERL machine, from the perl CPAN file, get the A3 compiler and compile it into a binary file. Pass it to the target host and execute it.


Now there's an interesting question: how to get firewall to deny/detect it. I know you need a strict policy of a strong application gateway-level firewall. email placed in the focus of the email on the server, the DNS response to only the WWW/FTP proxy requests. However, this is not enough. An attacker can tamper with the headers and X-Headers in the encrypted command or the HTTP proven into reverse WWW-SHELL, which is very simple to. Regularly with an effective tool to check the DNS and WWW logs/the buffer may also fail--every 3 to 2 0 after the call to exchange the external server or using an alias.

A safe solution is to create a backup network and connected to the internet, and the real network and keep it separate--but tell the staff. A good firewall to improve many, an IDS(Intrusion Detection Systems )can also give you help. But nothing can stop a dedicated attacker.