new leaktest : WallBreaker

Discussion in 'other firewalls' started by gkweb, Jun 17, 2003.

Thread Status:
Not open for further replies.
  1. gkweb

    gkweb Guest

    Hi

    I just released my own leaktest, available on the site.
    It works on Windows 9x/Millenium/2000/XP and seems not to be blocked by any firewall (following the "how to do test" of the results page).

    => http://www.firewallleaktester.fr.st

    The only known way for now is SSM (while the issue is probably investigated).

    Happy testing.
    regards,

    gkweb.
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Nice Leak-test, however it failed to bypass Look ‘n’ Stop’s Application Filtering Layer… ;)
     
  3. gkweb

    gkweb Guest

    no...

    Look'n'Stop doesn't see WallBreaker.exe, just explorer.exe, iexplore.exe, or svchost.exe.

    regards,

    gkweb.
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Once again i'm telling you what i see and what i see is Look 'n' Stop stealthing me at Application Filtering Layer from that utility hjacking attempts...
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Yes Look ‘n’ Stop doesn’t see Wallbreaker.exe Launching another Application that will connect, however Look ‘n’ Stop is protecting me at Application Filtering Layer.

    My Windows Explorer is configured to Launch only and no connection rights to the Internet, from the beginning Windows Explorer has always been DENIED from connecting rights as it’s obviously a security hazard… :D
     
  6. gkweb

    gkweb Guest

    i tested it on two comp : Win XP and Win 2000 all last update with LnS 2.04p2 with the lastest driver on both, if the configuration is not locked (which could prevent explorer.exe or svchost.exe to do anything) even at highest settings LnS failed, now it's me that said to you what i see ;)

    (may be you blocked a windows app ?)

    regards,

    gkweb.

    EDIT : oups you just posted :D

    yes, best guidance like block explorer.exe is a must to do, but not while testing leaktests ;)
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    LOL when it comes to Leak-testing nothing new anyone can tell me… ;)
     
  8. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi gkweb,

    Nice tester app you got there. It certainly defeated my KAH 1.5!

    This is precisely why I distrust Personal Firewalls by themselves. Using PE I could tell that something was going out to France (I know, the test is entirely safe!) even though it recorded the originating app as iexplore. Still this would be enough to tip that something was up.

    I wonder, have you tried it against Tiny 4.5? If I were to rely on a PF exclusive to anything else it would be that one (Not that I have tried all the ones out there!)

    Thx,

    Dan
     
  9. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Phant0m``

    I tried the Leaktest from gkweb..... now since explorer.exe is blocked by default.... it still bypasses... my LnS.... any idea ?
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Yes most likely your Internet Explorer was currently running in the background of the time you executed that test…

    Under few circumstances Look ‘n’ Stop will fail the test, and this is just another example why dealing with Leak-testing you must consider all factors.. ;)
     
  11. gkweb

    gkweb Guest

    What OS have you ? windows handles differently what WB do, even between 2000 and XP.

    But at least on Win XP, to block explorer.exe prevent the test to work.

    @Dan Perrez
    I just tried application filtering of TPF 4.5, not sandboxe feature.

    regards,

    gkweb.
     
  12. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Current ZA+ defeats this .exe by unchecking one box:

    Program Control-->
    highlight Windows Explorer-->
    Options-->
    Security-->
    Uncheck Advanced Program Control: "This program may use other programs to access the internet" box.

    Whew!
    ;)
     
  13. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    I'm running WinXP Pro Sp1
    LnS 2.04p2
    And even with explorer.exe block in Application Filtering and Internet Explorer closed and running the test is still screws up.

    Will have to find a way to stop that somehow ;) will get back to ya later on if I do ;)
     
  14. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Doh!

    Not so fast, Jim...a "cannot find server" message isn't good!

    Hmm. Maybe there's an end-around somewhere! :)
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey FluxGFX

    There are two Flags you set for each Application in the Application Filtering List, is Explorer.exe (Windows Explorer) configured to Deny Connecting rights to the Internet?

    I’m running Microsoft Windows XP Pro with Service Pack 1 Installed and all the SP2 hotfixes… and using Look ‘n’ Stop v2.04p2 with most recent Application Filtering Driver.
     
  16. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    I have set the two flags and added every explorer.exe on the system to be blocked and still... not working for me, but I'm not giving up, I'm sure there's a why to disable explorer.exe from accessing the net from within windows.
     

    Attached Files:

  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    OHHH i C
     
  18. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Phant0m``
    Honey you see what ? ;)
     
  19. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Try removing all the Explorers and executing the Wallbreaker and then click DENY to Explorer.exe Launching Internet Explorer…

    Also try terminating everything in the background except for Look ‘n’ Stop and then run Wallbreaker…
     
  20. gkweb

    gkweb Guest

    ########### READ THIS #############

    I suggest to everyone to read the "how to do tests" on the website results page.
    Blocking a windows component to pass successfully a leaktest is not seen as a good results because the purpose is to test your firewall, his application filtering layer strength, so, you have to allow explorer.exe and iexplore to access the Internet.

    For instance, With Look'n'Stop 2.04p2 with iexplore.exe and explorer.exe fully trusted, the leaktest "Tooleaky" is catched red handed by LnS with a beautiful warning "Tooleaky.exe try to launch iexplore.exe", even with the two app trusted, because he is not vulnerable to "Tooleaky".
    The same way to test your firewall have to be followed to test it.

    After that, to enhanced your protection and to cover firewall leaks, you can follow best guidance behaviour such as blocking explorer.exe to access the internet, add SSM, give filter rules per application, etc... but this "users enhancement" prevent to see if the firewall can handle or not the leaktest, in our example with WallBreaker, the firewall just see explorer.exe, and if you did tell it to block it, it blocks explorer.exe without have seen wallbreaker.exe

    Keep in mind that all technique showned by all leaktest can in theory be applied to any trusted application on your system... and in this case, the only last shield is the firewall application filtering which should see that a malicious program launched an authorized one, if not, the test is failed.

    Don't be confusing between that your firewall can really _see_ and between that it can really _do_
    (it can block explorer.exe, but can't see wallbreaker.exe).

    regards,

    gkweb.

    ########### READ THIS #############
     
  21. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Phant0n``

    Well I did remove all the explorer and closed everything and tried again with no succesfull results.

    gkweb,

    Would have a suggestion in mind that would help stoping wallbreaker ?
     
  22. gkweb

    gkweb Guest

    May be you didn't flushed IE cache ?
     
  23. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Trust me I did ;)
     
  24. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey gkweb

    I’m only here to state a fact that Look ‘n’ Stop has the capabilities of protecting, I never said Look ‘n’ Stop has the capabilities of detecting this Leaktest or not. ;)
     
  25. gkweb

    gkweb Guest

    it's not for you, it's for the user who said passed the leaktest with ZA on checking "block explorer.exe"

    ;)

    @GFX
    it's unbelievable :eek:

    regards,

    gkweb.
     
Loading...
Thread Status:
Not open for further replies.