Broadband Tech > Security > Security > El Cheapo Router Challenge

reply to qrkx

Re: El Cheapo Router Challenge

reply to Link Logger
OK after three cheap home routers no one has been able to get a file onto or off of the victim PC, qrkx was able to sneak some packets by the NAT Device, but marginal consequences if any.

I'm going to build a XP SP2 (no patches beyond SP2) and we are going to see just how well XP's built in firewall does as it also takes a ton of flak, but before I do that I would like people to know just how vulnerable the victim PC is and so I'm going to stick it out on the internet and the challenge will be to own the system before one of the locally infected bot systems does (like most ISP Shaw has no shortage of infected and scanning systems). Now please do not blow the system up (as its beside my desk), don't whack anyone else who is 'visiting' and don't put up anything other then text files claiming you were here (ie no exe's etc and no PORN). I will be nuking and repaving the whole system afterward as I prepare the XP SP2 system. I'll leave the system up for a while so people can visit it and do so in different ways.

Think of the system as a large wall which is available for your txt graffiti and treat it responsibly but also remember it is likely to be owned by some bot(s) etc as time goes.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel

reply to Link Logger
The IP Address is 70.72.32.238

The system will be logged so we can see who is first BBR folk or local worm. Currently the system is behind a Linksys WRT54GS but will be pushed onto the internet via being placed in the Linksys's DMZ, which will leave it completely out in the open. This should also serve as a warning about using port forwarding or DMZ as the router can't protect you there.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel

reply to Link Logger
System was owned within 7 minutes by a local bot.

Edit -> I'll leave the system up unless it goes into a major scanning and infection mode for awhile and we will do the XP SP2 thing tomorrow morning if that is OK with everyone as it is Friday night.

Blake

Just to clarify Blake, the system that was owned so quickly is XP SP2 (no further updates) placed in the DMZ with the windows firewall disabled?

Edit: I just re-read a prior post of yours and see that for this test the windows firewall was disabled.

reply to Link Logger
First to leave a txt file in the shared directory would be ??

Blake

reply to Michael
This system is a totally unpatched XP system, no service packs, no patches, as the NAT Device was the only thing protecting it from a quick death as what happen when I pushed it out into the so called DMZ.

I'll put up the XP SP2 system tomorrow.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel

Thanks for the clarification and for creating this very interesting challenge.
--
dltbw

reply to Link Logger
The winning bot:

the exploit

Nov 04, 2005 16:29:34.315 - (TCP) 70.72.206.128 : 2413 >>> 192.168.1.102 : 135 RPC Scan
Nov 04, 2005 16:29:34.355 - (TCP) 70.72.206.128 : 2415 >>> 192.168.1.102 : 135 RPC Scan
Nov 04, 2005 16:31:13.238 - (TCP) 70.72.206.128 : 1800 >>> 192.168.1.102 : 135 RPC Scan

the call back to get the rest of the worm

Nov 04, 2005 16:32:08.417 - (TCP) 192.168.1.102 : 1152 >>> 70.72.206.128 : 9317

I put the system into the DMZ at about 16:25:10

Blake

reply to Link Logger
Routers don't act like pc users.

Maybe by getting the end user to download a file when it opens a webpage is the only way to affect the pc behind the router.

I say this because this seems to be the goal in this challenge. Then, the challenge is how to get the file on the pc without being noticed.

Am I correct ?
--
Happy Dell PC Owner.

No... the goal is to get past the NAT router. It has nothing to do with requiring a user to take an action - we all know users are stupid. We think NAT routers are smarter.

reply to jvmorris

Re: NAT Challenge

I was 'extending' your statement, BT, not contradicting it. As originally phrased, it was subject to misconstrual as being nothing but a marketing ploy, hence my "not just 'sold' (emphasis added); my point was that there's actually a bit of substance in this case.
--
Regards, Joseph V. Morris

I see. Text will do that sometimes =(

I didn't follow your meaning.
--
Captain of the ATU Tux Racer Clan.

reply to Link Logger

Re: El Cheapo Router Challenge

reply to Link Logger
Stop your scans/attacks/whatever as I have disconnected the victim and will now start rebuilding it for our XP SP2 firewall test. Hopefully anyone who tried found it rather simple to get onto this system, and hence that the NAT Device was able to defend this open system successfully as no one got onto it before.

I'll get the XP SP2 system up for testing tomorrow around noon local time.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel

reply to Link Logger
I shut down the victim system after noticing that it went into scan/attack mode and having a little bit of time tonight I thought I would just take a quick look and see what bots I could find that had installed themselves on the unprotected system in the short time that I left it up.

C:\WINDOWS\System32\dfrgfat32.exe
dfrgfat32.exe - infected by Backdoor.Win32.SdBot.afu

C:\WINDOWS\System32\msftp.exe
msftp.exe - infected by Backdoor.Win32.SdBot.afu

C:\WINDOWS\System32\i - Trojan-Downloader.BAT.Ftp.ab

C:\WINDOWS\System32\winPE.exe
winPE.exe - infected by Backdoor.Win32.Rbot.va

C:\WINDOWS\System32\USBhardware8.exe
USBhardware8.exe - infected by Backdoor.Win32.Rbot.gen

C:\WINDOWS\System32\service.exe
service.exe - infected by Backdoor.Win32.Rbot.ul

So you can see the system picked up at least 4 bots in about 2 hours. I didn't surf anywhere other then BBR once which is safe, don't have email, chat, P2P, whatever, so the only way these bots got onto the system was via network exploits, which the NAT Devices where previously protecting the system from.

Blake

I should also comment that I did block outbound IRC traffic from the system when I pushed it onto the internet otherwise it likely would have been much worse as the botmasters would have installed even more malware then there was.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel

But did you see any outbound IRC traffic attempts in the logs from the system during that time interval?
--
Regards, Joseph V. Morris

reply to Link Logger
Blake,

One of the tests that you should perform is how each of the boxes you have deals with fragmentation.

NAT does not perform reassembly of IP datagrams but the packet filtering on the box might do some. In both cases interesting opportunities arise.

I remember an old IPFilter problem where incorrect fragmentation parsing lead to exposing filtered ports...

rgds.