PC Flank's Leaktest May 10, 2006?

Discussion in 'other firewalls' started by wujxin, May 20, 2006.

Thread Status:
Not open for further replies.
  1. wujxin

    wujxin Registered Member

    Joined:
    May 19, 2006
    Posts:
    28
    Location:
    China
    what do you think about this?

    PC Flank Leaktest Current Results

    We have gathered statistics of how each of the major firewalls coped with PCFlank's Leaktest. These results are shown below.
    PCFlank's Leaktest vs. the major firewalls, as of May 10, 2006:

    Firewall PC Flank Leaktest Result:
    Norton Personal Firewall 2006 (v. 9.0.0.73) failed
    McAfee Personal Firewall Plus (v. 7.0.152) failed
    Kerio Personal Firewall 4 (v. 4.2.3) failed
    Zone Alarm Pro 6 (v. 6.1.744.001) failed
    Outpost Firewall Pro (v. 3.51.748.6419) failed
    Kaspersky Anti-Hacker (v. 1.8.180.0) failed
    Windows XP built-in firewall failed
    Tiny Desktop Firewall 2005 Pro (v. 6.5.126) passed
     
  2. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
  3. rafael

    rafael Registered Member

    Joined:
    Apr 30, 2006
    Posts:
    48
    I have stopped visiting this site since well known firewalls seem to be not good enough to pass PC Flank leak test. I added a router instead to my setup as added protection.

    Suggest to try shieldsup at www.grc.com to check your firewall or router for open ports.
     
  4. wujxin

    wujxin Registered Member

    Joined:
    May 19, 2006
    Posts:
    28
    Location:
    China
    Thanks a lot!
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Well, PC Flank along with GRC are the best firewall test pages.

    Since this test is about blocking outbound, it does not really conserns me, because my protection is based on prevention (inbound blocking only), but anyway, it is interesting to see, how useless outbound blocking is. If the PC gets infected, the trojan does not have problem to shutdown security software or it can simply bypass it, like PC Flank Leaktest nicely proofes.
     
  6. olap

    olap Registered Member

    Joined:
    May 20, 2006
    Posts:
    95
    Jetico pass, no problem!
     
  7. BILL G

    BILL G Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    80
    Location:
    MN USA
    I ran this TEST 5 times & Passed 5 times with ZAF & FIRE FOX . IE is Blocked in ZAF.
     
  8. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
  9. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    You may carefully exam the way it used, a little interesting.
    GSS or ZA maybe used for test.
    By the way, don't be fool by the word "failed", you can fail even you unplug the network connection. That means, you failed if you don't have a suspend action for the way it used.
     
  10. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    Hi TheTOM_SK,

    Checkout http://www.firewallleaktester.com if you want to find the best firewall test website. GRC's leaktest1.2 is the most trivial of the tests there.

    If you only do inbound blocking, your firewall can still be penetrated, and with no outbound blocking your computer is no longer your own.

    Once you begin to think of protection in terms of OS, network, and application levels including the Registry, i.e. multi-layered, rather than simply in terms of inbound protection only, then your security will correspondingly improve as you add layered protection.

    -- Tom
     
  11. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    I know this site, I use their WWDC, they also test outbound blocking mostly.
    It is not about that I do not use outbound blocking, but I take it as part of my firewall.
    As long as there are only trusted programs in PC, there is no need for blocking outbound.

    But I guess, that you meant, that if my PC would get infected, some trojan could leak at will. In that case, I am not really worried of getting infected, not because it is almost impossible, but even if I would, there is nothing serious to be stolen. Anyway, thanks for your conserns.
     
  12. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    While there may be nothing to leak, surely you would not want your PC to be turned into a spambot without your knowledge say if it is online 24/7 when you are not there in front of the PC.

    -- Tom
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    I see your point, but do not worry my PC is at least safe as well as yours. ;)
     
  14. Maji

    Maji Registered Member

    Joined:
    Apr 26, 2006
    Posts:
    32
    I failed the test at first, but then I realized that it was using my local proxy to bypass the firewall and send the text string. Once I went into LnS and stopped the proxy from communicating to the Internet on port 80, the test completely failed, even though it said it passed (i.e. when I went to the page, there was no entry shown for me whatsoever). In other words, the test only succeeded because of the local proxy, which isn't news to me at all. Many other leak tests have taken advantage of local proxies to bypass firewalls and inaccurately procclaim that they have defeated your firewall software, when they have really only exploited one of the functions of a proxy server (i.e. to bypass communication restrictions imposed by corporate firewalls or routers).

    And how do I know that it took advantage of my local proxy and not something else? Simple: in the results page, it listed a spoofed IP address, not my real one. ;) Since IP spoofing is one of the things I have enabled via my local proxy, the only way it could have picked up the spoofed IP was if it had sent the packet containing the data I typed through the proxy first. Kind of lame, if you ask me. :p That's another reason I don't give much weight to any of pcflank's tests...they can easily be fooled by IP spoofing and/or proxies.

    GRC.com's ShieldsUp test, on the other hand, is NOT fooled by simple spoofing methods. ;)
     
  15. whistl3r

    whistl3r Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    69
    I found this test to be very interesting. What interest me is PCFlank does not provide detailed information on how this test bypassed a software / hardware firewall, I operate both, including ICF.

    What it could be doing is exploiting a buffer overflow, that has not been fix in Windows, giving PCFlank an illegal advantage, that is if they're using this overflow for their own gain and did not explain or report it. OR using a service you had already allowed through your firewall applications. I am probably incorrect about that statement, but they failed to provide detailed information and explain what procedure was taken to bypass your security settings. I find it very odd they do not explain this in detail.
     
  16. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    This is just my opinion only but I don't put much stock in PC Flank tests. They pretty much seem to be at odds with the other test sites quite a bit.
     
  17. whistl3r

    whistl3r Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    69
    In fact, Internet Explorer is required to be open when running this test, which immediately tells me that it's exploiting a Buffer Overflow, during one of my tests I completely shutdown application access the the net, via my firewall, and was still able to get through. I wonder if they even reported such a problem. Please correct me if I am wrong.... but this test is exploiting a buffer overflow.

    What worries me, is this company is trying to gain an advantage and do not explain the tests result.
     
  18. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Just a thought....

    I`m in over my head here a bit :oops: ....however. For quit a while now there has been a little Java script, I believe, based trick going around the net. Have seen it on a ton of websites. It`s usually a little figure holding a sign displaying your PC`s IP. Really caused quit a stir for a while among the security minded surfers. :blink: This would happen regardless of your security set up. Router, firewall, etc. did`t matter. It was explained that it was really a trick and the only one that saw it, the IP, was you. Never took the time to discover how this worked, but could this test be based on the same script?
     
  19. whistl3r

    whistl3r Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    69
    These are my discoveries while testing with Sygate (someone will appreciate it); like to apologize in advance I wrote this up in 2minutes.
    Step#1: Once PCFlankleaktest askes to open IE an application allowance is displayed attempting to send information displayed in #1;
    Step#2: The next screen on PCFlankleaktest requests to "Enter the test data" after you enter the data and submitt (next) Sygate prompts again for application allowance, displaying data contained in #2;
    Step#3: PCFlankleaktest will now show vague details and ask again to open IE and navigate to the results menu, again Sygate will ask for application allowance (if PCFlankleaktest.exe has not been given exclusive rights) to open IE displaying results from #3.

    PCFlankleaktest.exe fails it's own test, if it has been exclusively denied access to the net and/or the inherent use of iexplorer.exe. However, this test will succeed if the application has inherent rights to iexplorer.exe. Concluding, iexplorer.exe should not be given inherent rights to any application, regarless of it's trustworthyness. Most software firewall applications explicitly give you the right to allow/deny/ask (control) your application, which you should never allow mischievous applications to access your programs.



    #1: Initial launch of FLank asking to use IE:

    Parent Process : E:\PCFlankLeaktest.exe
    Parent Version : 1.0.0.0
    Parent Description : Leaktest developed by PCFlank.com
    Parent Process ID : 0x770 (Heximal) 1904 (Decimal)


    File Version : 6.0.2900.2180
    File Description : Internet Explorer (iexplore.exe)
    File Path : C:\Program Files\Internet Explorer\iexplore.exe
    Process ID : 0x8D8 (Heximal) 2264 (Decimal)

    Connection origin : local initiated
    Protocol : TCP
    Local Address : IP_OMITTED
    Local Port : 1261
    Remote Name : www.google.com
    Remote Address : 64.233.167.104
    Remote Port : 80 (HTTP - World Wide Web)

    Ethernet packet details:
    Ethernet II (Packet Length: 80)
    Destination: 00-0f-66-0d-e8-35
    Source: 00-0d-61-32-cd-16
    Type: IP (0x0800)
    Internet Protocol
    Version: 4
    Header Length: 20 bytes
    Flags:
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset:0
    Time to live: 64
    Protocol: 0x6 (TCP - Transmission Control Protocol)
    Header checksum: 0x5b47 (Correct)
    Source: IP_OMITTED
    Destination: 64.233.167.104
    Transmission Control Protocol (TCP)
    Source port: 1261
    Destination port: 80
    Sequence number: 1462827921
    Acknowledgment number: 0
    Header length: 32
    Flags:
    0... .... = Congestion Window Reduce (CWR): Not set
    .0.. .... = ECN-Echo: Not set
    ..0. .... = Urgent: Not set
    ...0 .... = Acknowledgment: Not set
    .... 0... = Push: Not set
    .... .0.. = Reset: Not set
    .... ..1. = Syn: Set
    .... ...0 = Fin: Not set
    Checksum: 0x4c72 (Correct)
    Data (0 Bytes)

    Binary dump of the packet:
    0000: 00 0F 66 0D E8 35 00 0D : 61 32 CD 16 08 00 45 5C | ..f..5..a2....E\
    0010: 00 34 4E 43 40 00 40 06 : 47 5B AC 14 10 64 40 E9 | .4NC@.@.G[...d@.
    0020: A7 68 04 ED 00 50 57 30 : FB 91 00 00 00 00 80 02 | .h...PW0........
    0030: FF FF 72 4C 00 00 02 04 : 05 B4 01 03 03 03 01 01 | ..rL............
    0040: 04 02 6C 65 61 6B 74 65 : 73 74 2F 6C 65 61 6B 31 | ..leaktest/leak1












    #2: Sending entered data to test; SG reports Flanks usage to IE:


    Parent Process : E:\PCFlankLeaktest.exe
    Parent Version : 1.0.0.0
    Parent Description : Leaktest developed by PCFlank.com
    Parent Process ID : 0x770 (Heximal) 1904 (Decimal)


    File Version : 6.0.2900.2180
    File Description : Internet Explorer (iexplore.exe)
    File Path : C:\Program Files\Internet Explorer\iexplore.exe
    Process ID : 0x8D8 (Heximal) 2264 (Decimal)

    Connection origin : local initiated
    Protocol : TCP
    Local Address : IP_OMITTED
    Local Port : 1262
    Remote Name : www.pcflank.com
    Remote Address : 195.131.4.164
    Remote Port : 80 (HTTP - World Wide Web)

    Ethernet packet details:
    Ethernet II (Packet Length: 80)
    Destination: 00-0f-66-0d-e8-35
    Source: 00-0d-61-32-cd-16
    Type: IP (0x0800)
    Internet Protocol
    Version: 4
    Header Length: 20 bytes
    Flags:
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset:0
    Time to live: 64
    Protocol: 0x6 (TCP - Transmission Control Protocol)
    Header checksum: 0x7467 (Correct)
    Source: IP_OMITTED
    Destination: 195.131.4.164
    Transmission Control Protocol (TCP)
    Source port: 1262
    Destination port: 80
    Sequence number: 686365195
    Acknowledgment number: 0
    Header length: 32
    Flags:
    0... .... = Congestion Window Reduce (CWR): Not set
    .0.. .... = ECN-Echo: Not set
    ..0. .... = Urgent: Not set
    ...0 .... = Acknowledgment: Not set
    .... 0... = Push: Not set
    .... .0.. = Reset: Not set
    .... ..1. = Syn: Set
    .... ...0 = Fin: Not set
    Checksum: 0x43a2 (Correct)
    Data (0 Bytes)

    Binary dump of the packet:
    0000: 00 0F 66 0D E8 35 00 0D : 61 32 CD 16 08 00 45 5C | ..f..5..a2....E\
    0010: 00 34 4E 54 40 00 40 06 : 67 74 AC 14 10 64 C3 83 | .4NT@.@.gt...d..
    0020: 04 A4 04 EE 00 50 28 E9 : 1A 0B 00 00 00 00 80 02 | .....P(.........
    0030: FF FF A2 43 00 00 02 04 : 05 B4 01 03 03 03 01 01 | ...C............
    0040: 04 02 45 43 41 43 41 43 : 41 43 41 43 41 43 41 43 | ..ECACACACACACAC






    #3: open to view results to test:

    Parent Process : E:\PCFlankLeaktest.exe
    Parent Version : 1.0.0.0
    Parent Description : Leaktest developed by PCFlank.com
    Parent Process ID : 0x770 (Heximal) 1904 (Decimal)


    File Version : 6.0.2900.2180
    File Description : Internet Explorer (iexplore.exe)
    File Path : C:\Program Files\Internet Explorer\iexplore.exe
    Process ID : 0x8D8 (Heximal) 2264 (Decimal)

    Connection origin : local initiated
    Protocol : TCP
    Local Address : IP_OMITTED
    Local Port : 1264
    Remote Name : www.pcflank.com
    Remote Address : 195.131.4.164
    Remote Port : 80 (HTTP - World Wide Web)

    Ethernet packet details:
    Ethernet II (Packet Length: 80)
    Destination: 00-0f-66-0d-e8-35
    Source: 00-0d-61-32-cd-16
    Type: IP (0x0800)
    Internet Protocol
    Version: 4
    Header Length: 20 bytes
    Flags:
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset:0
    Time to live: 64
    Protocol: 0x6 (TCP - Transmission Control Protocol)
    Header checksum: 0x5a67 (Correct)
    Source: IP_OMITTED
    Destination: 195.131.4.164
    Transmission Control Protocol (TCP)
    Source port: 1264
    Destination port: 80
    Sequence number: 545554806
    Acknowledgment number: 0
    Header length: 32
    Flags:
    0... .... = Congestion Window Reduce (CWR): Not set
    .0.. .... = ECN-Echo: Not set
    ..0. .... = Urgent: Not set
    ...0 .... = Acknowledgment: Not set
    .... 0... = Push: Not set
    .... .0.. = Reset: Not set
    .... ..1. = Syn: Set
    .... ...0 = Fin: Not set
    Checksum: 0x3b43 (Correct)
    Data (0 Bytes)

    Binary dump of the packet:
    0000: 00 0F 66 0D E8 35 00 0D : 61 32 CD 16 08 00 45 5C | ..f..5..a2....E\
    0010: 00 34 4E 6E 40 00 40 06 : 67 5A AC 14 10 64 C3 83 | .4Nn@.@.gZ...d..
    0020: 04 A4 04 F0 00 50 20 84 : 81 76 00 00 00 00 80 02 | .....P ..v......
    0030: FF FF 43 3B 00 00 02 04 : 05 B4 01 03 03 03 01 01 | ..C;............
    0040: 04 02 6C 65 61 6B 74 65 : 73 74 2F 6C 65 61 6B 31 | ..leaktest/leak1






    @ThunderZ; The java bypass, so much to say, not threatening or harmful in anyway. You transmitt your IP, browser version and os type every time you or your pc accesses the net, also called metadata. Take Wilders Security for example, the admin could supply us with general statistics on what browser, os types and ipranges are most commonly used to access this site. Sure, it could be harmful to someone who knows how to exploit the data, but rarely the case.
     
    Last edited: May 23, 2006
  20. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    Understood, in part. But if your behind a router then should it not have shown the routers` IP, not the PCs` IP, which as I remember, it was.
     
  21. whistl3r

    whistl3r Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    69
    Depends, i'd hate to take this thread off to a different subject, but since your asking, it's very much so for software to query both your external CPE IP and your private internal IP.

    Most common programs/applets are java, activex, squid, and a few proxies, most proxies use squid and depending on the anonymity your internal IP can be exposed. Java and ActiveX are applets which have the ability to expose your internal network, you can disable java and activex compenents by increasing your security settings in internet properties or completely removing java.

    Here's a comprehensive link, regarding your question.
    http://www.auditmypc.com/internal-ip.html
     
  22. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    Not sure it is a different subject sense it has to do with just how the test functions and is it a true leak or just a FP so to speak.
    Checked your link. The first paragraph is the one I find the most interesting. The external IP is correct. The internal is blank.(Added for reference.) This is with Firefox java enabled.

    NATTED IP

    Your external IP address (68.xxx.xx.xxx) is always exposed to the internet, if it wasn't, you wouldn't be able to visit sites. On the other hand, your internal IP address () should be protected and not be obtainable by websites.
     
  23. olap

    olap Registered Member

    Joined:
    May 20, 2006
    Posts:
    95
    How Jetico stop PCFlankLeaktest.exe

    When you run PCFlankLeaktest.exe and enter the test data and press "Next"
    Jetico ask access to network "tooleaky.exe" "Hash 0C0A11B1 C032915E B5018338 6FD88C6A 05B47EBE"
    Block "tooleaky.exe" and PCFlankLeaktest say "Your firewall has failed the test" Copy-paste the link into your browser and no result on
    http://www.pcflank.com/pcflankleaktest_results.htm.
    When you click the "open browser" Jetico ask access to network "PCFlankLeaktest.exe" "Hash 3437369E 6B75021F 57DE5527 C33EF7B1 026E52D6" and allow or block access and no result on
    http://www.pcflank.com/pcflankleaktest_results.htm
    So for first you must test your firewall if pass "tooleaky.exe" and "WallBreaker.exe" from http://www.firewallleaktester.com
    If your firewall pass "tooleaky" and "WallBreakertest" then must pass PCFlankLeaktest too!
    This depend of your configuration!
    If your firewall not pass this-test then change your firewall!
    Thats it! Enjoy.
     
Loading...
Thread Status:
Not open for further replies.