Network scans against various Windows firewalls (with real hardware)

Discussion in 'other firewalls' started by Gullible Jones, Jun 21, 2014.

Thread Status:
Not open for further replies.
  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    This is the new set of tests, using various free third-party firewalls on an EeePC 1005HAB with Windows 7 SP1 installed, including all available security updates. Windows 7's native firewall, in Public mode, will be the baseline. No Windows services will be disabled from the installation defaults.

    This time I will be reporting which firewall I'm testing and what ports it leaves unblocked. If you are using one of the firewalls in question, do not need the port in question open, and are still willing to trust the firewall, you should probably set up a manual rule to block inbound connections on that port or range of ports. Where necessary I'll add comments about the nature of the ports.

    The "attacking" computer will be a Compaq C700 laptop running SalixOS 14.1 (x86). nmap will be invoked as:

    # nmap -Pn -sS -sY -sU <netbook IP>

    This is all preconfigured scan types; TCP SYN scan, SCTP INIT scan, and UDP scans, on the most common 1024 ports for each protocol. It's not that intensive, because an intensive UDP scan would take almost a day. IOW I'm not being particularly thorough, I just want to see if the firewall appears to be doing its job.

    As of this sentence, the netbook has finished installing Win7 and is now updating. Watch this space. :)[/B]
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    First the baseline test, Win7 SP1 + all security updates + Win7 internal firewall:

    Code:
    Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-21 22:29 EDT
    Nmap scan report for 192.168.1.120
    Host is up (0.00017s latency).
    All 2052 scanned ports on 192.168.1.120 are filtered (1052) or open|filtered (1000)
    MAC Address: E0:CB:4E:3C:6E:D4 (Asustek Computer)
    
    Nmap done: 1 IP address (1 host up) scanned in 44.56 seconds
    
    Nada! Okay, on to PrivateFirewall...
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Also, a random aside: you know how the first time you start up IE, it goes to MSN? Well you can't stop it from doing that. Hitting the stop button or the escape key doesn't work. You WILL get spammed with disturbing, sensationalistic headlines.

    *shakes fist in the general direction of Redmond*

    Okay, now I'm going to listen to some calming Bach and do some calming pentesting.
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    PrivateFirewall, with network security on "High":

    Code:
    Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-21 22:47 EDT
    Nmap scan report for 192.168.1.120
    Host is up (0.00036s latency).
    Not shown: 1044 filtered ports, 1000 open|filtered ports
    PORT  STATE  SERVICE
    135/tcp  open  msrpc
    3389/tcp  closed ms-wbt-server
    49152/tcp open  unknown
    49153/tcp open  unknown
    49154/tcp open  unknown
    49155/tcp open  unknown
    49156/tcp open  unknown
    49159/tcp open  unknown
    MAC Address: E0:CB:4E:3C:6E:D4 (Asustek Computer)
    
    Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds
    
    I'm pretty sure the RPC port can be used for certain attacks. Also interesting that all those unknown high ones in a row are left unblocked. The only one that makes sense to me is 3389 which is typically used for RDP... Except that nobody sets up RDP servers at home.

    Metasploit testing with PrivateFirewall is next... Once I have Metasploit working on my stupid laptop.
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Interesting - after a few tentative prods with Metasploit (and some clicks on "Deny" buttons on the netbook), PrivateFirewall has either filtered or closed all ports. No open ones remain. Much better.

    I have yet to exhaust all Windows network attacks though. Let's see what we can do.
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    A dozen failed exploits later, I think I see the picture...

    Interactive firewalls are *interactive*, even when arguably "locked down." The reason the ports appear open is that the firewall is waiting for someone to complete an inbound connection (as opposed to doing a SYN scan). When that happens it will issue a prompt, and if the answer is "Deny" it will close the port forever more.

    Personally I think this is rather silly from a usability standpoint, but I have to admit it works quite well... As long as you don't click "Allow." (And as long as there aren't any holes in the firewall itself, but that goes without saying.)

    tl;dr My hypothesis was wrong, interactive firewalls work fine. (They just have some strange habits.) Carry on, everyone.
     
  7. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Thanks for sharing.
     
  8. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    Have you tried NOT to have a network-connection for IE to exploit on first run ?
    Also, it's not just IE that 'phones home' on first run, there's so many connections made on first run of a new windows-installation that it's fair to plainly state 'windows phones home, and keeps doing it, until you have disabled/changed ALL settings for functions that ever access the NIC' .
    'Windows-time', 'error-reporting' and the list just goes on and on ..
     
Loading...
Thread Status:
Not open for further replies.