Scapy BPF filtering is not working when some exotic interface are used. This includes Virtualbox interface such as vboxnet.
For example, the following code will not work if the interface is a virtualbox interface:
build_filter = "src host %s and src port 21"
sniff(iface=iface, prn=callback, filter=build_filter)
To fix this, you can use the lfilter option. The filtering is now done inside Scapy. This is powerful but less efficient.
The code can be modified like this:
build_lfilter = lambda (r): TCP in r and r[TCP].sport == 21 and r[IP].src == ip
sniff(iface=iface, prn=callback, lfilter=build_lfilter)
Tanks a lot to Guillaume Valadon for the tips!
The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy.
The required counter-measures are described in the Secure use of iptables and connection tracking helpers document
The associated video demonstrations are available:
First video demonstrates how to use forged IRC protocol command (DCC request) to be able to open connection to a NATed client from internet.
Second video demonstrates the effect of the attack on helpers on a non protected Netfilter Firewall.
Third video demonstrates the effect of the attack on helpers on a badly configured Checkpoint firewall.
More information will come in upcoming posts.