Data Driven Attacks Using HTTP Tunneling

SecurityFocus HOME Infocus: Data Driven Attacks Using HTTP Tunneling

<excerpt>
inbound:
permit tcp any host WWW port 80
permit tcp any host WWW port 443
permit tcp any host DNS/SMTP port 25
permit udp any host DNS/SMTP port 53

outbound:
permit ip any any

The firewall has the following security policy enforced:

inbound:
permit ip host DNS/SMTP host SSH eq 22
permit ip host DNS/SMTP host SSH eq 80
permit ip host DNS/SMTP host SSH eq 443

outbound:
permit ip any any

While this is extremely simplistic in its scope it is sufficient for demonstration purposes. The attacker exploits the WWW server running IIS. It doesn’t matter which particular exploit he uses; rather, that he is able to exploit the server and gain a command line access to the system. Once he has established that access he uploads a precompiled version of the HTTP tunnel server, hts. The syntax of the HTTP tunnel server is as follows:

hts.exe -F (SRC PORT) (TARGET):(DST PORT)

&ltsnip/>

</excerpt>

Here’s the gist: Compromise a server in DMZ zone and get a command line. And then, use hts for 80 port tunneling.

Similar Posts:

Post a Comment

Your email is never published nor shared.