Results 1 to 10 of 10

Thread: suncreen

  1. #1
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628

    suncreen

    I posted this question in security and I haven't gotten any responses so I'm putting it in here, maybe one of you "experts" knows something about it.

    Is there a way to "hack" Sunscreen firewall?

    I have seen that you could SYN flood it, but that has more to do with Solaris OS than Sunscreen. I'm not too concerned with DoS attacks but penetrating the firewall.
    Just to clarify, I have just installed this firewall and I'd like to know what (if anything) I should be aware of.
    As always, Thanks for the assist.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    143
    KorpDeath:

    I don't consider myself an expert in any *nix system, but I know a thing or two about firewalls, and seeing you have had limited help so far, I figured I'd give it a try.

    I'm a little bit confused as to what you mean by "hack" Sunscreen. If you mean get around the firewall features to reach the internal network, then there are a number of ways to do this. If for some reason you are allowing telnet or SSH into the box that is running Sunscreen, then if someone got into that box, they'd not only be able to get to your internal network, but they'd also be able to change your firewall config (possibly to allow access to internal PCs that are of interest to him/her). Another possiblity would be determining the firewalls rule set by using a product called Firewalker which actually enumerates every port that is allowed through the firewall, and I believe it also determines where the port maps to.

    There is no way to specifically hack a firewall unless you can actually get into it, which means hacking into your SOlaris box. If I were you, I'd be concerned that your firewall is locked down so that only necessary ports are opened, and everything else is dropped. I'd also make sure that the box you are running the firewall on isn't running any other services other than the Sunscreen firewall service. The most likely way to get into your box is to exploit a service that is running, and as long as the only thing you are using the box for is as a firewall, then you should have no problems in shutting down all the other services (HINT: You should NOT be using your firewall as anything but a firewall).

    If I didn't really answer your question, then please specifiy what you mean by "hack Sunscreen."

    Regards,
    Wizeman
    \"It\'s only arrogrance if you can\'t back it up, otherwise it is confidence.\" - Me

  3. #3
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628

    Talking you the man

    Well I'm just wondering if there are any obvious vulnerabilities.

    I have hardened the OS so there is no telnet or ssh or ftp or anything else, I have also put the firewall in promiscuos mode which in theory would make the firewall un-hackable (if you will) because there is no IP stack to speak of.

    I'm pretty sure I'm in good shape. I just wanted to verify that no oner around here new of any expl,oits I haven't heard of yet. There's nothing like being cocky about something then turn around and find out you've had your pants down the whole time. Thanks for the feedbck BTW.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  4. #4
    huh !

    i'm just very curious about :

    "I have also put the firewall in promiscous mode"



    Could you please clear up that thing for my mind.... i can be wrong, but for me it means than :

    1) if you setted up the internal interface or external in promiscous, it just means that all packet that receive this interface are read...whether the MAC adress is yours or not. They are transmitted to the TCP/IP layer and finish to trash if not handled by a special program.

    2) if you setted up both interface in promiscious mode and enabled forwarding.... then it is no more a firewall... it's a transparent bridge !!!

    3) maybe I'm wrong and your are learning me a new trick to make a firewall stronger.

    A+ hantiz./
    Linoux c\'est de la bombe bébé !

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Sorry. In suscreen speak that means that none of the firewalls interfaces have an IP stack on them. The drivers (for lack of a better term) pulls the packetys directly from the interface.

    Sorry this took a while to get back to you I've been on a ROADTRIP!!!!!
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    Junior Member
    Join Date
    Jan 2002
    Posts
    21
    Why don't you use a system backdoor or bufferoverflow attacks to bind a shell to a higher port or you can install code that allows your commands to be "tunnelled" through the firewall using source routed packets or ICMP commands


    (OF COURSE IT HAS vulnerabilities)

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    The only real firewall 'vulnerabilities' occur when you have a firewall that only looks at the TCP SYN packets, and does not look at any of the ACK packets.

    From this, you could possibly send data to a trojan through the firewall by only sending ACK packets. That's called ACK tunnelling.

    Most firewalls should be able to stop this nowadays, but a few are still floating around that are vulnerable to ack tunnelling.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #8
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628

    DOH!

    Originally posted by tiger team
    Why don't you use a system backdoor or bufferoverflow attacks to bind a shell to a higher port or you can install code that allows your commands to be "tunnelled" through the firewall using source routed packets or ICMP commands


    (OF COURSE IT HAS vulnerabilities)
    It's my firewall nimrod. i thought I made that abundantly clear. what I'm asking is if anybody knows of any vulnerabilities I should look out for .. thanks

    P.S. Buffer overflow attacks don't work I've tried that in my test network. Syn floods won't work if you have Solaris configured properly, etc. etc. These aren't even interesting enough to post.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  9. #9
    Junior Member
    Join Date
    Oct 2001
    Posts
    8

    Stack Mode

    Hey Korp -

    Basically what you are saying is you have the firewall running in bridging mode (sort of like a router) if I remember my sunscreen configs. If you have done all the OS hardening, and keep up on your security patches (for the OS and for Sunscreen - if there are any) you should stay very secure. The only way your firewall will be addressable is on the MAC address layer - and that would require local access to your network.

    I am not sure what levels of hardening are implemented when you place the firewall in stealth mode - I do know that "unused packages are removed" - I would check to ensure they are indeed removed and not just disabled (for example commenting out telnetd in inetd.conf does not remove inetd from your server, just causes inetd not to call it). You can also take a look at http://www.sans.org for some primers on hardening solaris (maybe even above and beyond what stealth mode has done for you). I do not know your level of expertise - so if me saying this is an insult (it would be to me) then I apoligize.

    Well there I go rambling again - I will sign off now.

    This next line applies to some people (not all of you)

    011110010110111101110101
    011000010111001001100101
    01100100011101010110110101100010
    Chuck \"Spence\" Fasching
    Information Security Architect
    CCSA, CCSE, GSEC

  10. #10
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628

    Thanks all

    Thanks for the input. I appreciate it. I really do.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •