Sunday, May 17, 2009

Host Protection: Working with Microsoft's Firewall

Both network and host protection are recommended. Each OS has native firewall host protection:

OpenBSD: pf
FreeBSD: pfsense
Fedora Cora: iptables with SELinux
Windows XP,2003,2008,Vista,7 : Windows Firewall (ICF)

Microsoft's native firewall on XP SP3 can be told to log all incoming and outgoing packets up to a maximum log size of 32676 bytes(2^15). It will turn over twice before rewriting the old log file name.  A full examination of the Firewall's configuration is beyond the scope of this post.  A regedt32 query of StandardProfiles and DomainProfiles for all Control Sets for all globally open ports and authorized applications is recommended as is a manual exploration of the appropriate regedt32 keys. (Netsh commands are available for all Firewalled Windows. Please see http://support.microsoft.com/kb/947709 . Powershell can also be used to configure Microsoft's Firewall. ):   

regquery HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List | findstr Enabled

reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List | findstr Enabled
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List | findstr Enabled

A sample partial result would be: 

reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List | findstr Enabled
    139:TCP     REG_SZ  139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
    445:TCP     REG_SZ  445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
    137:UDP     REG_SZ  137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
    138:UDP     REG_SZ  138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
    53:UDP      REG_SZ  53:UDP:LocalSubNet:Enabled:DNS-UDP
    53:TCP      REG_SZ  53:TCP:LocalSubNet:Enabled:DNS
    500:UDP     REG_SZ  500:UDP:*:Enabled:@xpsp2res.dll,-22017

The pfirewall.log gives a considerable amount of information as such:

more pfirewall.log
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2009-04-23 10:24:55 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
2009-04-23 10:24:56 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 138 138 202 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 137 137 78 - - - - - - - RECEIVE
2009-04-23 10:24:57 DROP UDP 192.168.0.4 192.168.0.255 137 137 96 - - - - - - - RECEIVE
....

Using Cygwin's Bash client and gawk, a list of src and dst ports can be obtained: 

cat /cygdrive/D/pfirewall.log | awk -F" " '{print $7}' | sort -nr | uniq -c | sort -nr | more
cat /cygdrive/D/pfirewall.log | awk -F" " '{print $8}' | sort -nr | uniq -c | sort -nr | more

Gawk's conditional logic coupled with pcregrep quick searching helps us print the frequency of a destination IP and accompanying port(s) for a specified source IP:

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $6 ":" $8}' | sort -nr | uniq -c | sort -nr | more
  16138 192.168.0.1:53
    902 192.168.0.1:80
    446 74.125.242.24:80
    359 65.214.57.165:80
    304 216.73.87.115:80
    272 85.13.200.108:110
    247 70.32.92.85:80
    240 216.73.87.152:80
    215 75.101.163.8:80
    208 68.142.93.133:80
    203 74.125.127.191:80
    201 128.111.41.37:80
....

Now we choose to sort by the frequency of one specific dst port for each dst IP from the specified (local) source IP:

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $6 ":" $8}' | sort -nr | uniq -c | pcregrep ':443' | sort -nr
    113 74.125.53.147:443
     92 74.125.53.83:443
     78 208.235.248.150:443
     50 208.75.76.32:443
     46 74.125.127.103:443
     30 74.125.53.97:443
     24 74.125.127.120:443
     23 65.55.157.60:443
     22 96.6.248.124:443
     21 74.125.53.99:443
...

For example, I was surprised to find all the foreign addresses that my local computer asked NBNS queries of: 

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $6 ":" $8}' | sort -nr | uniq -c | pcregrep ':137' | sort -nr
  42 192.168.0.4:137
  39 192.168.0.6:137
  36 192.168.0.2:137
  16 192.168.0.9:137
  15 206.51.224.187:137
  14 208.117.252.85:137
  14 192.168.0.1:137
  13 206.72.124.93:137
  11 74.125.103.33:137
  10 64.94.107.20:137
  10 64.236.79.54:137
  10 206.191.161.8:137
...

The dates and times of those queries could be found with: 

cat /cygdrive/D/pfirewall.log | pcregrep OPEN | awk -F" " '{if ($5=="192.168.0.8") print $1 ":" $4 ":" $6 ":" $8}' | pcregrep ':137' | sort -nr | more
2009-05-14:UDP:192.168.0.4:137
2009-05-14:UDP:192.168.0.4:137
2009-05-06:UDP:75.52.124.131:137
2009-05-06:UDP:74.125.103.28:137
2009-05-06:UDP:69.64.6.21:137
2009-05-06:UDP:66.35.45.202:137
2009-05-06:UDP:66.35.45.202:137
2009-05-06:UDP:66.35.45.202:137
2009-05-06:UDP:66.35.45.201:137
2009-05-06:UDP:66.35.45.201:137
2009-05-06:UDP:66.35.45.201:137
2009-05-06:UDP:65.55.52.84:137
2009-05-06:UDP:65.55.52.148:137
2009-05-06:UDP:65.55.185.61:137
2009-05-06:UDP:65.55.185.29:137
2009-05-06:UDP:65.55.184.189:137
2009-05-06:UDP:65.173.218.69:137
2009-05-06:UDP:65.173.218.69:137
2009-05-06:UDP:64.94.107.16:137
2009-05-06:UDP:64.236.115.52:137
2009-05-06:UDP:4.71.104.187:137
....

These two commands are also recommended:

C:\WINDOWS\system32\drivers\etc>net config server
C:\WINDOWS\system32\drivers\etc>net config workstation

No comments:

Post a Comment