Minggu, 17 Mei 2009

Host Protection: Working with Microsoft's Firewall

09.30    No comments

Both network and host protection are recommended. Each OS has native firewall host protection:

OpenBSD: pf
FreeBSD: pfsense
Fedora Cora: iptables with SELinux
Windows XP,2003,2008,Vista,7 : Windows Firewall (ICF)

Microsoft's native firewall on XP SP3 can be told to log all incoming and outgoing packets up to a maximum log size of 32676 bytes(2^15). It will turn over twice before rewriting the old log file name. A full examination of the Firewall's configuration is beyond the scope of this post. A regedt32 query of StandardProfiles and DomainProfiles for all Control Sets for all globally open ports and authorized applications is recommended as is a manual exploration of the appropriate regedt32 keys. (Netsh commands are available for all Firewalled Windows. Please see http://support.microsoft.com/kb/947709 . Powershell can also be used to configure Microsoft's Firewall. ):

regquery HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List | findstr Enabled

reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List | findstr Enabled

A sample partial result would be:

reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List | findstr Enabled
139:TCP REG_SZ 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
445:TCP REG_SZ 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
137:UDP REG_SZ 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
138:UDP REG_SZ 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
53:UDP REG_SZ 53:UDP:LocalSubNet:Enabled:DNS-UDP
53:TCP REG_SZ 53:TCP:LocalSubNet:Enabled:DNS
500:UDP REG_SZ 500:UDP:*:Enabled:@xpsp2res.dll,-22017

The pfirewall.log gives a considerable amount of information as such:

more pfirewall.log
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2009-04-23 10:24:55 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
2009-04-23 10:24:56 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 138 138 202 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 137 137 78 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
....

Using Cygwin's Bash client and gawk, a list of src and dst ports can be obtained:

cat /cygdrive/D/pfirewall.log | awk -F" " '{print $7}' | sort -nr | uniq -c | sort -nr | more
cat /cygdrive/D/pfirewall.log | awk -F" " '{print $8}' | sort -nr | uniq -c | sort -nr | more

Gawk's conditional logic coupled with pcregrep quick searching helps us print the frequency of a destination IP and accompanying port(s) for a specified source IP:

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $6 ":" $8}' | sort -nr | uniq -c | sort -nr | more
16138 192.168.0.1:53
902 192.168.0.1:80
446 74.125.242.24:80
359 65.214.57.165:80
304 216.73.87.115:80
272 85.13.200.108:110
247 70.32.92.85:80
240 216.73.87.152:80
215 75.101.163.8:80
208 68.142.93.133:80
203 74.125.127.191:80
201 128.111.41.37:80
....

Now we choose to sort by the frequency of one specific dst port for each dst IP from the specified (local) source IP:

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $6 ":" $8}' | sort -nr | uniq -c | pcregrep ':443' | sort -nr
113 74.125.53.147:443
92 74.125.53.83:443
78 208.235.248.150:443
50 208.75.76.32:443
46 74.125.127.103:443
30 74.125.53.97:443
24 74.125.127.120:443
23 65.55.157.60:443
22 96.6.248.124:443
21 74.125.53.99:443
...

For example, I was surprised to find all the foreign addresses that my local computer asked NBNS queries of:

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $6 ":" $8}' | sort -nr | uniq -c | pcregrep ':137' | sort -nr
42 192.168.0.4:137
39 192.168.0.6:137
36 192.168.0.2:137
16 192.168.0.9:137
15 206.51.224.187:137
14 208.117.252.85:137
14 192.168.0.1:137
13 206.72.124.93:137
11 74.125.103.33:137
10 64.94.107.20:137
10 64.236.79.54:137
10 206.191.161.8:137
...

The dates and times of those queries could be found with:

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $1 ":" $4 ":" $6 ":" $8}' | pcregrep ':137' | sort -nr | more
2009-05-14:UDP:192.168.0.4:137
2009-05-14:UDP:192.168.0.4:137
2009-05-06:UDP:75.52.124.131:137
2009-05-06:UDP:74.125.103.28:137
2009-05-06:UDP:69.64.6.21:137
2009-05-06:UDP:66.35.45.202:137
2009-05-06:UDP:66.35.45.202:137
2009-05-06:UDP:66.35.45.202:137
2009-05-06:UDP:66.35.45.201:137
2009-05-06:UDP:66.35.45.201:137
2009-05-06:UDP:66.35.45.201:137
2009-05-06:UDP:65.55.52.84:137
2009-05-06:UDP:65.55.52.148:137
2009-05-06:UDP:65.55.185.61:137
2009-05-06:UDP:65.55.185.29:137
2009-05-06:UDP:65.55.184.189:137
2009-05-06:UDP:65.173.218.69:137
2009-05-06:UDP:65.173.218.69:137
2009-05-06:UDP:64.94.107.16:137
2009-05-06:UDP:64.236.115.52:137
2009-05-06:UDP:4.71.104.187:137
....

These two commands are also recommended:

C:\WINDOWS\system32\drivers\etc>net config server
C:\WINDOWS\system32\drivers\etc>net config workstation

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)