This feature can be turned off, see: http://support.microsoft.com/default.aspx?scid=kb;en-us;811832
From: "JJ Gray" <jj -at - irmplc.com> To: "PenTest" <pen-test -at- securityfocus.com> Subject: Win2K & XP IPSEC Filtering bypass Date: Wed, 19 May 2004 22:48:26 +0100 X-Mailer: Microsoft Outlook Express 6.00.2800.1409
Hi folks,
came across this little trick and thought it might be useful at some point. The Microsoft IPSEC filters used by Windows 2000 & XP can be bypassed by choosing a source port of 88 (Kerberos).
First off, Microsoft themselves state that IPSEC filters are not designed as a full featured host based firewall [1] and it is already known that certain types of traffic are exempt from IPSEC filters [2] and they can be summarised as:
In a Microsoft support note [2] there is the line: "The Kerberos exemption is basically this: If a packet is TCP or UDP and has a source or destination port = 88, permit."
The test host here has a "block all" rule created using:
ipsecpol.exe -x -w REG -p "The Black Knight" -r "NoneShallPass" -n BLOCK -f 0=*::*
Normal Nmap scan:
172.25.0.14
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-19 18:14 BST Host 172.25.0.14 appears to be up ... good. Initiating SYN Stealth Scan against 172.25.0.14 at 18:14 The SYN Stealth Scan took 7 seconds to scan 1659 ports. Interesting ports on 172.25.0.14: (The 1658 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 88/tcp closed kerberos-sec
Nmap run completed -- 1 IP address (1 host up) scanned in 7.017 seconds
Port 88 closed is the hint, Nmap again using this source port:
172.25.0.14
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-19 18:14 BST Host 172.25.0.14 appears to be up ... good. Initiating SYN Stealth Scan against 172.25.0.14 at 18:14 Adding open port 445/tcp Adding open port 135/tcp Adding open port 139/tcp Adding open port 1433/tcp Adding open port 1027/tcp Adding open port 1025/tcp The SYN Stealth Scan took 0 seconds to scan 1659 ports. Interesting ports on 172.25.0.14: (The 1653 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1027/tcp open IIS 1433/tcp open ms-sql-s
Nmap run completed -- 1 IP address (1 host up) scanned in 0.367 seconds
As can be seen, the IPSEC filters are bypassed. Although not designed as a host based firewall, IPSEC filters are being used as such, particularly to block popular attacked ports such as NETBIOS, CIFS and SQL, perhaps as [temporary] worm mitigation.
In Windows 2003 all of these default exemptions have been removed with the exception of IKE [1] and I believe that this may be incorporated into earlier Windows versions at some point.
Cheers,
JJ
[1] http://support.microsoft.com/default.aspx?scid=kb;EN-US;810207 [2] http://support.microsoft.com/default.aspx?scid=kb;EN-US;253169
