Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Firewall bypass.


Night_Stalker's Avatar
Member
0 0

Recently changed out firewalls on my desktop pc because the old firewall didn't detect when I would connect to it remotely via my net-book, on the wireless network (not over the internet), using a simple rootkit. Now that the firewall is changed (it is now ZoneAlarm) it refuses to allow me to connect.

Which makes me wonder, are there ways to bypass the firewall and still connect, remotely (I'm damn sure there are many ways..)? How could someone do this? How could it be prevented?

I don't really want step by step instructions or hand-puts on how it could be done/prevented, I dislike that. I'm mainly just looking for some hints on what to search for to find this out, and where to look and where to start.

Thanks. :happy:


rootDaemon's Avatar
Member
0 0

Alright, first let me say i'm not 100% sure on this one, but I had a conversation about it on irc. If the firewall is stateless you can get packets through it by spoofing them as replies to a computer on the other side.

Anyone else heard of this?


Night_Stalker's Avatar
Member
0 0

rootDaemon wrote: Alright, first let me say i'm not 100% sure on this one, but I had a conversation about it on irc. If the firewall is stateless you can get packets through it by spoofing them as replies to a computer on the other side.

Anyone else heard of this?

After reading your post, I remember reading that somewhere on a thread on HBH. Or reading something similar to it.


stealth-'s Avatar
Ninja Extreme
0 0

rootDaemon wrote: Alright, first let me say i'm not 100% sure on this one, but I had a conversation about it on irc. If the firewall is stateless you can get packets through it by spoofing them as replies to a computer on the other side.

Anyone else heard of this?

This is true. A stateless firewall only looks at each packets' values individually, without actually tracking and checking whether or not there is a valid TCP connection for that packet. If it saw that it was a reply, a stateless firewall would have to assume that there is already an active TCP connection and would pass it through. A stateful firewall would know that there isn't actually a connection, and drop it.

ZoneAlarm is stateful, however.

Without you actually poking holes in the firewall yourself, I don't believe anyone would be able to get around the firewall that ZoneAlarm creates. Personally, if I was an attacker, I would then instead MitM you and redirect all your web traffic to my own machine, and try to exploit your web browser through that method. I'm assuming we are talking LAN here, since your router acts like a firewall in itself.


Night_Stalker's Avatar
Member
0 0

stealth- wrote: snip

What I'm trying to do is to find a way to access a rootkit behind the stateful firewall. When I attempt to connect, I noticed that on the desktop pc, zonealarm pops up asking you to trust the connection. You have to click to trust it to allow the connection. I had read the other day something about injecting rootkits/spyware into .dll files, and if that .dll file is used by an application that is trusted by the firewall, most firewalls would allow it full access to the internet.

Could anyone verify this? o.O

Going to look into in myself and see if I can find out about it, and also try some other thing I read..