IntroductionOpensvp is a security tool implementing attacks to be able to the resistance of firewall to protocol level attack. It implements classic attacks as well as some new kind of attacks against application layer gateway (called helper in the Netfilter world). The document Secure use of iptables and connection tracking helpers describes the protection method against this type of attack for a Netfilter firewall.
Download and more
The project is hosted on github:
Spoofing attack on helpersBeing on a network directly connected to the firewall via the eth0 interface, the attacker can run the following command ::
opensvp --attacker -t 192.168.2.3 --helper ftp --port 23 -v -i eth0192.168.2.3 is the address of the FTP server and 23 is the port we want to open on the server. It is then possible to connect to 192.168.2.3 on port 23 after a successful attack.
Abusive usage of helpersIt is possible for a client to send a forged command message which is interpreted as possible dynamic connection opening by the firewalls. It is possible to use a standard server to send the attack but with a custom server you will know the transformation made by the possible NAT gateway. A typical session is the following. On the server which has IP address 220.127.116.11, you can run ::
$ opensvp --server --helper irc -vOn the client, you can then run ::
$ opensvp --client -t 18.104.22.168 --helper irc --port 23 -v 22.214.171.124:23 should be opened from outsideOn the server, the following message is displayed ::
You should be able to connect to 126.96.36.199:23Here 188.8.131.52 is the public address of the client.