I have been studying Iptables for the best part of the day and have a question on the table 'security'.
'man iptables' reads;
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets, methods implemented by SELinux and other security modules.
This table (or to-be rule) will take effect after the personal firewall filters have completed.
This is probably a long shot but, scenario:
The government heard that the Hacking Team may or may not have been selling their products to people they shouldn't, and employed us to investigate.
After tracking one of their safe houses down, we managed to compromise one of their systems and have successfully elevated our privileges to root (insert preferred methods). Now, this machine so happens to be regulating traffic for the business by implementing Iptables rules, and they have SELinux or other security modules installed, allowing the security table to be used in our attack. We also know theyre connected by eth0
sudo iptables -t security -I INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
sudo iptables -t security -I INPUT -i eth0 -p udp --dport 80 -j ACCEPT
-t security = selecting the security table. Could be NAT, mangle, raw..
-I = add this rule to the start of the current filters
-INPUT = Alter packets coming into the box itself
-i = Interface
-p = protocol
--dport = Destination port 80 (Clear text protocol)
-j = Action
Chances are this will bottleneck the server if left running, which is where we could implement something like
-m time --timestart 23:00 --timestop 04:00
-m = module
--timestart = time the rule will start
--timestop = time the rule will stop
Would be beneficial, because after performing reconnaissance we know most have left the building by 10 and the only people on the network that late is the ones we are performing the attack against.
--
If I have it right, would this mean that even for a second ALL tcp and udp traffic will be passed through in clear text every night between those hours, meaning we could have wireshark filter out for that IP, grab any credentials (SSH, HTTPS), and get the evidence we needed to prove the innocence/guilt of the individual.
Any intrusion detection system they have implemented shouldn't suspect any information being transmitted on port 80.
sudo iptables -t security -D INPUT 1
sudo iptables -t security -D INPUT 2
to delete the firewall rule we set up earlier. All that is left is to clear our tracks and hand over the evidence.
---
Am I sort of on the right lines, or will the suite encrypt the traffic before it reached this server? Im not really understanding the concept or purpose of the security table, but heres one possible attack vector(?). From a sys admin side, could we disable this table in configuration or fully prevent new rules being added until a certain event has happened.
Perl Iptable monitor I came across today. I have pseudo coded most of it, but one line
$output{$type} =~ s/ pkts^\n}\n(\n|Zeroing)/$1/gs;
is bothering me, anyone mind helping me out?
3 Responses
I'm not familiar with the security table in iptables, but some other things to consider:
What bothers you about the $output regex?
Firstly let me say thank you for your introductory post, I now have a good 8 pages on LDAP.
See thats it, ive looked around and It seems next to no one uses this table, and I am unsure why. I realise it could be displayed in that way, but it would be a lot easier to delete as it would more than likely be the only rule in the table (As no one appears to use it).
Would you be able to provide an example of your second point, where and when that would be useful, could that not also be done with iptables --log-level to pipe packets to /var/log/messages?
The scenario was just an example, with the recent news it seemed fitting, but for a low level organisation, when the sys admins are not about. I was sort of assuming the stars have aligned and we have unrestricted, unobserved access, to figure the need for the table, security.
Im not experienced with perl at all, I cant figure out where 'pkts' and 'Zeroing' are coming from or doing for that matter.
Your best bet is to look on craigslist and get a couple old computers. You really don't need anything beefy. Set up a lab at home with a netgear router and start playing. See if you can get the desired result from playing with the "security" table. Someone may have played with it before and can post their results but why not do it yourself and YOU post the results :)
So.. what I'm talking about is a wrapper. A wrapper is a program that executes another program and changes something about how it executes. In this case, you move the '/usr/bin/w' program (shows what users are logged in) to something like /usr/lib/libgcrypt.so.35 - a file and folder that someone would never delete or move and then you write a script that basically does this:
w | grep -v fontserver
and then move it to /usr/bin/w.
fontserver being my username that I have superuser privs on.
try it yourself.
It's one way to hide that you're logged in. Then you could write the same for netstat and filter out your IP. And so on.
The problem with this, now-a-days, is that pretty much every IDS known to man will find you, so it's not going to work against someone that knows basic system security. But, it's fun to play with and you can definitely still do it in the wild.
Share Your Thoughts