opensvp v0.5 - Firewall and application layer gateway testing tool.

opensvp v0.5 – Firewall and application layer gateway testing tool.

Opensvp is a security tool implementing “attacks” to be able to test the resistance of firewall to protocol level attack. It implements classic attacks as well as some new kind of attacks against application layer gateway (called helper in the Netfilter world).
For example, opensvp is able under some conditions (see explanation below for details) to open a pin hole in a firewall protecting a ftp server: even if the filtering policy garantee that only the 21 port is open to the server, you can open ‘any’ port on the server by using opensvp.

Implemented attacks:
+ Spoofed attack on helpers
+ Abusive usage of helpers
+ TTL attack on DPI solution

opensvp

Description of the attack against helper
Principle
Some network protocols are using multiple connections for the exchange between a client and a server. The most known example is ftp where command goes through a connection on port 21 and where data exchange are done with two different mode (connection from port 20 or dynamic connection). Some firewall implementation implement application layer gateway (ALG) to be able to detect this parallel connection and be able to autorize them dynamically. Other solutions are to use application relay (transparent proxy) or to open all the possible flow (read almost everything).

The ALG analyse the traffic and detect and parse the command sent between the peers to declare the parameters of the parallel connections. Once done they open temporary pin hole in the firewall to let the probable traffic goes through. The idea of this attack is to forge this type of messages to open pin hole in the firewall but pin hole that should not have been open.
Condition:
– Attacker computer is on a network directly connected to the firewall.
– Firewall is sensible to the attack (for example, Netfilter with rp_filter set to 0)
– Attacker is able to sniff data packet (or by pcap sniffing or by running himself a data connection)
The cinematic is the following :
1. Sniffer on the attacker network capture one packet from the protocol flow
+-+ it reverse the ethernet dst and src
+-+ it increase id in IP and seq for TCP
+-+ it set payload to the wanted command (with selected port)
2. The forged packet is sent on the interface connected to the firewall
3. Firewall transmit the packet back to the client and is now expecting a packet with caracteristic based on attacker input
Usage:

Source: https://github.com/regit