PluginEditRawRule.dll Plug-In

Discussion in 'LnS English Forum' started by Phant0m, Feb 14, 2004.

Thread Status:
Not open for further replies.
  1. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hello Look ‘n’ Stop fans

    I’m writing this tutorial for all of you Look ‘n’ Stop fans out there to give you taste of an exciting exploration of all-new Look ‘n’ Stop v2.05 Plug-In support, using PluginEditRawRule.dll Plug-In (which allows you to create raw rules) which is available for download on http://www.looknstop.com/En/Plugins/plugin_ruleedition_use.htm, also instructions for applying Plug-In and using it are also on that page. Unlike any other Software Firewall that I’m aware of, Look ‘n’ Stop v2.05 Plug-In support can be used to create unique RAW rules, wow talk about getting down right dirty with your rules!

    As a demonstration I worked on ARP security, for long time most if not all Software Firewalls allowed ARP packets by Ethernet Type ARP only and didn’t provide any comparison of source/destination MAC addresses, now today there are few that actually do provide comparison of source/destination MAC addresses giving that the individual actually do use it. However under most circumstances this just isn’t enough, NOW with NEW Look ‘n’ Stop v2.05 Plug-In support and the usage of PluginEditRawRule.dll Plug-In and my four rules which are available in Importable rule format can be used to uniquely do more than just allowing by Ethernet Type ARP and more than just comparison of source/destination MAC addresses found in the packet header.

    Phant0m``s ARP $v1.0 Importable rule file download is available HERE, and following are Instructions.



    MAC & IP Address index
    -------------------------------
    01.01.01.01.01.01 = Your-PC Physical Address
    11.11.11.11.11.11 = Gateway Physical Address
    192.168.0.1 = Your-Private IP
    192.168.0.0 = Gateway IP
    192.168.0.2 = Client-A Machine​


    Basically what needs to be done is you import all four rules from the importable rule file into your rule-set and make modifications to all four rules

    http://www.wilderssecurity.info/images/ARP-rules.png

    and “THEN” disable the rule named “ARP : Authorize all ARP packets” which should be located second rule from the bottom, easy as that! I’ll even go through modifications of the first rule to help get you started…

    Router: ARP Reply modifying

    http://www.wilderssecurity.info/images/rre-1.png

    * under "Field (0 to 9)" access drop-list and select 1
    * under "Value Display Mode" access the drop-list and select "Hexa - Byte split"
    * under "Field Value(s)" make modification to the "Value1:" field by replacing with your PC Physical Address

    http://www.wilderssecurity.info/images/rre-2.png


    * under "Field (0 to 9)" access drop-list and select 2
    * under "Field Value(s)" make modification to the "Value1:" field by replacing with your Gateway Physical Address

    http://www.wilderssecurity.info/images/rre-3.png


    * under "Field (0 to 9)" access drop-list and select 3
    * under "Field Value(s)" make modification to the "Value1:" field by replacing with your PC Physical Address

    http://www.wilderssecurity.info/images/rre-4.png


    * under "Field (0 to 9)" access drop-list and select 4
    * under "Field Value(s)" make modification to the "Value1:" field by replacing with your Gateway Physical Address

    http://www.wilderssecurity.info/images/rre-5.png


    * under "Field (0 to 9)" access drop-list and select 5
    * under "Value Display Mode" access the drop-list and select "Decimal - Byte split"
    * under "Field Value(s)" make modification to the "Value1:" field by replacing with your your Private IP Address

    http://www.wilderssecurity.info/images/rre-6.png


    * under "Field (0 to 9)" access drop-list and select 6
    * under "Value Display Mode" access the drop-list and select "Decimal - Byte split"
    * under "Field Value(s)" make modification to the "Value1:" field by replacing with your your Gateway IP Address
    * Now Click on OK button


    Congratulations!!! Now you ready to move onward the next ARP rule!
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Here is alittle something to help many understand a few things about ARP.

    ---

    At the heart of every Man-In-The-Middle and password interception attack resides a
    person with the skills to see everything that traverses the network. There are tools available
    on the Internet that allow one to see every single packet that passes by your
    computer, and with the proper knowledge, even data that is destined for another computer.

    This technique is referred to as network sniffing, and ironically is already built in to your
    network card. Network cards that allow the users to see all the packets are in a
    whats called promiscuous mode. This mode tells the NIC to pass all data up to a
    higher application such as WinPCap, LibPCap, packet.dll, or any other package.

    When a user can see the data that is sent across the network, it gives them the ability to
    intercept a lot of juicy information such as e-mail, instant message conversations,
    password hashes, administrative data, and almost everything else imaginable.

    The quintissential flaw that spawns the ability to sniff network traffic resides in the actual
    network devices themselves. The hub is the most basic of Ethernet
    networking devices. It takes any packet that it receives and replicates that signal on all
    ports, essentially broadcasting it across the network. Hence, any node connected
    to that hub can view the network traffic between any other device. In technical networking terms this area where the data can be intercepted is called the
    collision domain.

    There are alternative technologies that allow more secure data transfer across networks,
    using whats called microsegmentation. With microsegmentation, every node connected to the device gets mapped to a specific port. When data comes to the
    device, the data is routed specifically to that node so that no one else can intercept the
    data.

    These devices are called switches, and they work by creating a table of MAC addresses.
    The MAC address is the single identifier for any network device. When
    the incoming data is received by the switch, the destination MAC address is
    extracted and sent to the specific port for the destination.

    The single greatest feature of a switch soon proves to be its greatest downfall. The table
    of MAC addresses that is kept is created using a protocol called ARP (Address
    Resolution Protocol). ARP tells the switch and other computers what its
    MAC address is, and the switch/computers believe it (depending on certain
    rules). This leaves switches vulnerable to an attack called ARP poisoning. The attacking
    computer can send out fake ARP responses, tricking the remote nodes to
    think that the victim computer is actually the attacker. This means that all of the
    victims data will first be sent to the attacker for tampering and what not, bypassing anything that the switch has set up. Once the attacker is done with the data, the
    node can forward the data back to the victim without any trouble at all. There are programs that you can run that will monitor all ARP traffic and report any
    irregularities, such as ARPWatch.

    ---
     
  3. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Wow, Phant0m another great job putting this all together!

    A few questions if you do not mind...

    Are the other 3 rules configured in the same manner?

    Would these rules effect file sharing in one's LAN?

    Lastly, are these rules placed at the very top of the rule-set?

    May the karma be with you ;)
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey rerun2

    Thanks!

    No I don’t mind one bit! To tell the truth, I’m excited you have!

    Yes they are.

    Lets say Computer-A configured with Look ‘n’ Stop and uses these four ARP rules, if “PC: ARP B-Request” rule is improperly configured to not authorize ARP Broadcasting Requests to Computer-B, Computer-A presence wont be known to Computer-B therefore its share access in “My Network Places” on Computer-B wont exists. And if there’s Computer-C and Computer-D and Computer-E and so forth, you must create additional “PC: ARP B-Request” rules authorizing ARP Broadcasting Requests to those. Does this answer your question? See below * - *

    You can have them at the very top; I prefer to jump them at the bottom and just above the bottom rule to keep them out of sight and to avoid jumping newly created rules down below those to an destination in the rule-set.

    * - *
    As I mentioned the rule named “PC: ARP B-Request” contains Value in Field-6 that needs to be modified for Computer-B, if you have more than 1 other Client Computer on your Network you need to Export this rule per Client Computer, Import and make modifications to the rule-name and Value2 in Field-6.

    See image attached…
     

    Attached Files:

  5. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Great work Phantom, you really are a great asset to LnS and the rest of the internet community! Keep up the good work! :)

    CU
    Jazzie
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Thanks Jazzie1!

    I like to thank you too for assisting me over MSN earlier, you found a problem with re-booting the Router generated re-connecting anomaly. That is now fixed and the Importable rules file has been updated on the server.

    Thank you again for your assistance Jazzie1! :D
     
  7. no-idea4

    no-idea4 Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    12
    Location:
    usa
    PhantOm-sorry if Ishould be able to figure this out myself- but for stand alone computer which of the four rules do I have to import and modify per your instructions?Do I make exact same modifications to all rules?
    greetings from former becky member,
    no-idea :)
     
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey no-idea4

    For standalone Computer I don’t see these ARP rules necessary and especially if you on Dial-up. If you have xDSL or Cable+ Type Connection these rules can block unnecessary ARP traffic on your ISP.

    It is always nice to see a former becky member, don’t be a stranger here! ;)
     
  9. no-idea4

    no-idea4 Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    12
    Location:
    usa
    PhantOm,
    Thanks for quick response!I have been here all along-just had no questions or imput.You got it covered :)By the way your writing style has evolved since back then-so clear,concise, and easy to follow :)Thanks again.
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
  11. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Can I kiss you all over ?! :)
     
Thread Status:
Not open for further replies.