Module 07: Network Penetration Testing Methodology-Perimeter Devices 2

Exercise 2: HTTP Tunneling to Bypass Firewalls Using HTTPort

Scenario

Attackers are constantly searching for vulnerable clients to penetrate their network through IP spoofing to damage or steal data. The attacker can access packets through a firewall by spoofing the IP address. If attackers are able to capture network traffic, as explained in the previous lab, they can perform Trojan attacks, registry attacks, password hijacking attacks, etc., which can be disastrous for an organization’s network.
Therefore, as a network administrator, you should be able to identify attacks by extracting information from captured traffic such as source and destination IP addresses, protocol type, header length, source and destination ports, etc. and compare these details with modeled attack signatures to determine if an attack has occurred.
Also, familiarity with the HTTP tunneling technique is important as it helps in identifying additional security risks that may not be detected by conducting simple network and vulnerability scanning and determines to what extent a network IDS can identify malicious traffic within a communication channel.

Lab Duration: 30 Minutes

1. Click Advertisement Dept. Subnet D.
   Click Admin account to log in.
   In the logon box password field click Pa$$w0rd
   

   After logging in to the machine, User Account Control pop-up for Java Auto Updater may appear any time. Click No.

   You can use the Type Password option from the Commands menu to enter the password.

   
2. Server Manager window appears, click close button.
   
3. Click Start and navigate to Administrative Tools --> Services.
   
4. Services window appears. Scroll down and right-click on World Wide Web Publishing Serviceand click Stop option.
   
5. In the same way, Right-click on IIS Admin Service and click Stop option.
   
6. ECSA-Tools folder is located in Windows Server 2012 (Internal Network) machine. To access the folder, type \\192.168.168.8 in the address bar of the Computer window and press Enter. ECSA-Tools shared folder will appear as shown in the screenshot below. Double-click on the shared folder to view the list of Tools for each module.
   

   If Windows Security pop-up appears to access \\192.168.168.8, provide Windows Server 2012 (Internal Network) credentials i.e.,
   Username: Administrator
   Password: Pa$$w0rd
   and click OK.

   
7. The ECSA-Tools, shared drive window appears, as shown in the screenshot.
   
8. Navigate to \\192.168.168.8\ECSA-Tools\ECSAv10 Module 07 Network Penetration Testing Methodology-Perimeter Devices\HTTHost and double-click htthost.exe.
   
9. The Open File – Security Warning pop-up appears on the screen, click Run.
   
10. The HTTHost 1.8.5 window appears, as shown in the screenshot.
    
11. Select Options tab.
    In the Options tab, set all its settings to default except Personal Password field, which should be filled in with any password. In this lab, the personal password is set to magic.
    Check the Revalidate DNS names and Log Connections options, and click Apply.
    
12. Check if the last line is Listener: listening at 0.0.0.0:80 in Application Log, which ensures that HTTHost is running properly and has started listening to port 80.
    
13. Close the Services console.
    Leave HTTHost running, and do not turn off the Advertisement Dept. Subnet D machine.
14. Click Windows Server 2012 (Internal Network)click Ctrl+Alt+Delete.
    
15. In the log on box click Pa$$w0rd and press Enter.
    

    You can use the Type Password option from the Commands menu to enter the password.

    
16. Right-click the Windows icon and click Control Panel.
    
17. The Control Panel window appears and displays all control panel items. Select Windows Firewall.
    
18. The Windows Firewall control panel appears; click Turn Windows Firewall on or off link in the left pane.
    
19. The Customize settings window appears.
    Select the Turn on Windows Firewall (under Private network settings and Public network settings).
    Click OK.
    
20. Firewall is successfully turned on. Now, click Advanced settings in the left pane.
    
21. The Windows Firewall with Advanced Securityappears.
    Select Outbound Rules in the left pane.
    A list of outbound rules is displayed. Click New Rule… in the right pane (under Outbound Rules).
    
22. In the New Outbound Rule Wizard, select Portas the Rule Type, and click Next.
    
23. Select All remote ports, under Protocol and Ports, and click Next.
    
24. Under Action, Block the connection is selected by default. Click Next.
    
25. In the Profile section, ensure that all the options (Domain, Private and Public) are checked, and click Next.
    
26. Under Name, type Port 21 Blocked in the Namefield, and click Finish.
    
27. The new rule Port 21 Blocked is created, right-click the newly created rule (Port 21 Blocked), and click Properties.
    
28. The Properties window for Port 21 Blocked rule appears.
    Select the Protocols and Ports tab. In the Remote Port field, select Specific Ports option from the drop-down list and enter 21 as Port Number.
    Leave the other default settings, click Apply, and click OK.
    
29. Disable the rule, and check if you are able to connect to the FTP site.
    Right-click the newly added rule, and click Disable Rule.
    
30. Launch the command prompt, and issue ftp 172.20.20.11. You will be asked to enter the username.
    This means you are able to establish an FTP connection.
    
31. Now, enable the rule, and check whether you can establish a connection.
    Right-click the newly added rule, and click Enable Rule.
    
32. Launch the Command Prompt and check whether you are able to connect to the FTP site by issuing the command ftp 172.20.20.11. The added outbound rule should block the connection shown in the screenshot.
    

    If you are not asked to enter credentials, it means that the connection is blocked.

    
33. Close all the windows.
    Now, perform tunneling using HTTPort to establish a connection with the FTP site located on Sales Department Subnet D.
34. Navigate to E:\ECSAv10 Module 07 Network Penetration Testing Methodology-Perimeter Devices\HTTPort and double-click httport3snfm.exe.
    Follow the wizard-driven installation steps to install HTTPort.
    

    If an Open File Security - Warning pop-up appears, click Run.

    
35. Click on Start and type HTTPort 3.SNFM. You will get the tool as a search result. Click on the first option.
    
36. An Introduction wizard appears, click Next (5 times) till the end of the wizard and then click Close.
    
37. The HTTPort main window (HTTPort 3.SNFM) appears, as shown in the screenshot.
    
38. Select the Proxy tab and enter the IP address of Advertisement Dept. Subnet D machine i.e., 172.20.20.9 (since HTTHost is running in that machine), and enter 80 as Port number.
    In the Misc. options section, under the Bypass mode: field, select Remote host option from the drop-down list.
    In the Use personal remote host at (blank = use public) section, re-enter the IP address Advertisement Dept. Subnet D i.e., 172.20.20.9and 80 as the port number.
    Enter magic in the Password: field.
    
39. Select the Port mapping tab and click Add to create New Mapping.
    
40. Right-click New Mapping node, and click Edit.
    
41. Rename this to ftp old home (you can enter a name of your choice). Right-click the node below Local port, then click Edit and enter 21 as the port value.
    Right-click the node below Remote host, click Edit and rename it as 172.20.20.11.
    Right-click the node below Remote port, then click Edit and enter 21 as the port value.
    

    172.20.20.11 specified in Remote hostnode is the IP address of the FTP site hosted on Sales Department Subnet D.

    
42. Switch back to Proxy tab and click Start to begin the HTTP tunneling.
    
43. 1. HTTPort intercepts the FTP request to localhost and tunnels through it. HTTHost installed on the remote machine connects you to 172.20.20.11.
    
    2. This means you may not access FTP site directly by issuing ftp 172.20.20.11 in the command prompt, but you will be able to access it through the local host by issuing the command ftp 127.0.0.1.
44. Launch Command Prompt and type ftp 172.20.20.11, and press Enter. The ftp connection will be blocked by the outbound firewall rule.
    
45. Now launch a new Command Prompt, type ftp 127.0.0.1 and Press Enter. You should be able to connect to the site.
    
46. Enter the credentials of any user account of Sales Department Subnet D. In this lab, we are using the credentials of the Admin account. Type the username (Admin) and password (test@123), and press Enter.
    

    The password you enter won't be visible.

    
47. You have successfully logged in, even after adding a firewall outbound rule inferring that a tunnel has been established by HTTPort and HTTHost, bypassing the firewall.
    Now you have access to add files in the ftp directory located in Sales Department Subnet Dmachine.
    Type mkdir Test and press Enter.
    
48. Click Advertisement Dept. Subnet D. Login to the machine with Username Admin and password as test@123.
49. Navigate to C:\inetpub\ftproot. A directory named Test will be created in the ftproot folder as shown in the screenshot.
    
50. Thus, you have successfully bypassed windows firewall using HTTP Tunneling.
    On completion of the exercise, delete the created outbound rule, stop HttHost and HTTPort and disable the firewall (which was enabled in the beginning of the lab) in the host machine i.e., Windows Server 2012 (Internal Network). Also, start the World Wide Web Publishing Service in Advertisement Dept. Subnet D machine.
    Close all the applications, files, and folders that were opened while performing this exercise.

In this lab you have learned how to analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.