Garage4hackers Forum - Bypassing a Cisco IOS firewall

This documentation is about a successful attack Strategy on something which I was trying out form last 15 days. It all started with silent-poison handing over to me a webshell, "a non interactive .php shell" on a webserver the shell was having NT-Authority System privileges. He did a good work there, as I was told he used a joomal exploit to get that shell up running. And it was obviously a high priority webserver .He should probably document that part

.

The issue he was facing was that he was not able to back connect nor use bind shell to get an interactive command prompt. Well yes it would be definitely be because of a proxy/Firewall/Nating issues.

Day 1:

All I am having is a web shell with privileges to execute commands, it was a windows 2008 serevr . I started by doing an external nmap

Code:

fb1h2s@bktrack:~#nmap -T4 -A targetip

"which will generate a full scan including tracert and  script scans"

Out put was:

TCp Port : 80 Open

No filtered ports but just an open port,as normally if firewalled windows RPC ports would be filtered .Himm should be a Router ACL configured with no outbound connections and Only allow inbound connection on port 80

For confirming I uploaded a command line port-scanner, not nmap as I am not having interactive command prompt and configuring namp+wincap on non interactive setup is hard so dint wanted to take that pain.

I uploded Found ScanLine v1.01 http://www.foundstone.com/us/resourc...c/scanline.htm and did banner garbing on the device which is doing the Nating

Code:

ipconfig > found the device ip 192.168.0.1

sl -vbt 192.168.0.1

Starting scan against 192.168.0.1 port range: 1-5000
Total number of maximum threads is 20. Socket timeout is set to 20ms.
Port 1720 is open.
-- End of open TCP ports list.

Cisco IOS firewall

192.168.0.1
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
TCP ports: 23 80 1720

So problem maker is a cisco Ios firewall . So I have to bypass this one to get an interactive shell Rdp,commd prompt etc. And the question is how ??

Day 2

It took two days to build an option set

[+]Few solutions I could think about was
[1]Get access to firewall by Brute-forcing password or some other means modify the acess list to.

Code:

access-list 101 permit tcp any host 171.16.23.1 eq 3389

[Hard?impossible form a non interactive shell ] And bruteforce program and all I ill have to code in native C/C++ which I wasn't that fast in doing [I am in love with python

]

[2] Find another system in the network which might have internet acess like Mail serevr Dns servers hack them then tunnel firewalled machines traffic and take it out to the internet and get interactive shell.

[3] DNS tunneling and Port reuse http://www.blackhat.com/presentation..._Shellcode.pdf Metsploit got DNs tunneling payloads. "You cant achieve fully interactive shell"

And from these I choose the second option. So now I have to spot system with which might have direct internet access.

Code:

ipconfig /all Give me my Internal Dns server IP.

192.168.0.4
 I also did a Portscan on my subnet which gave me the Dns names too
" Dns names changed"

192.168.0.4     
Hostname: INTERNALSERVER
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
192.168.0.17
Hostname: INTER2SERVER
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No

-------------------------------------------------------------------------------
192.168.0.18 
Hostname: ipcam-client
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
Starting scan against 192.168.0.18 port range: 1-5000
Total number of maximum threads is 50. Socket timeout is set to 3ms.
Port 22 is open.
Port 80 is open.
Port 443 is open.
Port 554 is open.
Port 2112 is open.
Port 3306 is open.
Port 4112 is open.
Port 4116 is open.
Port 4343 is open.
-- End of open TCP ports list.

-------------------------------------------------------------------------------
192.168.0.246
Hostname: MYBOOKWORLD
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No

-------------------------------------------------------------------------------

Scan finished at Thu Nov 25 15:34:20 2010

 --------------------------------------------------------------------------
192.168.0.18
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
TCP ports: 22 80 443 554 2112 3306 4112 4116 4343

--------------------------------------------------------------------------
192.168.1.4
Hostname: exch.my.target.com
Responds with ICMP unreachable: No
192.168.1.4
Responded in 0 ms.
1 hop away
Responds with ICMP unreachable: No
TCP ports: 21 25 53 80 88 110 135 139 143 389 443 445 464 593 636 993 995 1025 1027 1038 1054 1058 1060 1066 1069 1107 1111 1123 1129 1163 1201 1219 1801 2101 2103 2105 2107 3171 3172 3173 3268 3269 3389

Continued....... herehttp://www.garage4hackers.com/showth...o-IOS-firewall