Introduction
Opensvp is a security tool implementing attacks to be able to the
resistance of firewall to protocol level attack. It implements
classic attacks as well as some new kind of attacks against application
layer gateway (called helper in the Netfilter world).
The document Secure use of iptables and connection tracking helpers describes
the protection method against this type of attack for a Netfilter firewall.
Download and more
The project is hosted on github:
Implemented attacks
Spoofing attack on helpers
Being on a network directly connected to the firewall via the eth0 interface,
the attacker can run the following command ::
opensvp --attacker -t 192.168.2.3 --helper ftp --port 23 -v -i eth0
192.168.2.3 is the address of the FTP server and 23 is the port we want to
open on the server.
It is then possible to connect to 192.168.2.3 on port 23 after a successful
attack.
Abusive usage of helpers
It is possible for a client to send a forged command message which is interpreted
as possible dynamic connection opening by the firewalls.
It is possible to use a standard server to send the attack but with a custom server
you will know the transformation made by the possible NAT gateway.
A typical session is the following. On the server which has IP address 1.2.3.4, you
can run ::
$ opensvp --server --helper irc -v
On the client, you can then run ::
$ opensvp --client -t 1.2.3.4 --helper irc --port 23 -v 2.3.4.5:23 should be opened from outside
On the server, the following message is displayed ::
You should be able to connect to 2.3.4.5:23
Here 2.3.4.5 is the public address of the client.
Protection against the attacks
See Secure use of iptables and connection tracking helpers for detailed information.
Hi,
Thanks for the tool!
Just a tiny mistake: the pointer to opensvn’s source code is wrong, it links to coccigrep’s source code.
Olivier;
Oups, fixed. Thanks Olivier!