Breaking Through Firewalls with Shell-gei

Transcript

1. Breaking Through Firewalls with Shell-gei International Conference on Shell-gei 2024

   (ICSG 2024) † North Korea, Pyongyang 21th December 2024 Gre-san Copyright (c) https://gr3.ie - ICSG 2024 † A fictional event

2. 10th anniversary of Dangerous Shell-gei!! Copyright (c) https://gr3.ie - ICSG

   2024

3. I’m so happy! as one of its creators.. Copyright (c)

   https://gr3.ie - ICSG 2024 Fig : An example of the eccentric behavior often seen among shell enthusiasts during the freewheeling days of Twitter Reference: https://togetter.com/li/709172

4. Today's Talk Celebrating 10 years A glimpse into Dangerous Shell-gei

   (and its unsettling aspects) Copyright (c) https://gr3.ie - ICSG 2024

5. TL;DR $ target=***.***.***.*** # Target IP address $ own_ip=***.***.***.*** #

   Your own IP address $ yes UNKO | head -n 1024 > payload.txt # Prepare the data to send $ sudo hping3 -c 1 -C 3 -K 0 --icmp-ipproto 6 \ --icmp-ipsrc $target --icmp-ipdst $own_ip \ --icmp-srcport "$(ss -tuna | grep -m 1 $target | awk -F: '{print $NF}')" \ --icmp-dstport 80 \ -E ./payload.txt -d "$(wc -c payload.txt | awk '{print $1}')" \ $target Copyright (c) https://gr3.ie - ICSG 2024

6. What Can It Do? Send arbitrary byte sequences Through unauthorized

   protocols ...to the OS of a target behind a stateful firewall†1†2. Copyright (c) https://gr3.ie - ICSG 2024 †1 Only applies to stateful firewalls †2 There are certain prerequisites (to be discussed)

7. The Scenario Copyright (c) https://gr3.ie - ICSG 2024

8. Copyright (c) https://gr3.ie - ICSG 2024

9. Copyright (c) https://gr3.ie - ICSG 2024

10. Copyright (c) https://gr3.ie - ICSG 2024

11. Copyright (c) https://gr3.ie - ICSG 2024

12. Demo Copyright (c) https://gr3.ie - ICSG 2024

13. What Just Happened??? Copyright (c) https://gr3.ie - ICSG 2024

14. Packets from unauthorized protocols penetrated the firewall Packet capture revealed

    a flood of "UNKO" The OS clearly received the data How outrageous! Copyright (c) https://gr3.ie - ICSG 2024

15. Explanation Copyright (c) https://gr3.ie - ICSG 2024

16. It's Actually Normal Behavior Virtual firewalls provided by verious cloud

    providers Stateless systems aren't affected e.g., Packet filters like Sakura Cloud's Copyright (c) https://gr3.ie - ICSG 2024

17. Stateful vs. Stateless Copyright (c) https://gr3.ie - ICSG 2024

18. Q: Why does this happen? A: It's recommended behavior for

    the Internet. Q: Is it necessary? A: Yes. Copyright (c) https://gr3.ie - ICSG 2024

19. Learning About ICMP (1) Internet Control Message Protocol Used for

    error and communication notifications † Packets used by ping Echo Request Notification (TYPE 8) Many other "TYPE"s exist ping is just one use case Copyright (c) https://gr3.ie - ICSG 2024 † Internet Control Message Protocol - Wikipedia: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

20. Learning About ICMP (2) "Looks like the network is unreachable"

    ICMP TYPE 3, CODE 0 "Packet size mismatch, try again" ICMP TYPE 3, CODE 4 Path MTU Discovery Copyright (c) https://gr3.ie - ICSG 2024

21. Source: Mastering TCP/IP – 5th Edition Copyright (c) https://gr3.ie -

    ICSG 2024

22. Awareness (1) RFC 792 (ICMP specification) https://datatracker.ietf.org/doc/html/rfc792 When using TCP/UDP...

    ICMP TYPE 3 will be returned if something goes wrong (So, you know what not to allow, right?) Copyright (c) https://gr3.ie - ICSG 2024

23. Copyright (c) https://gr3.ie - ICSG 2024

24. Copyright (c) https://gr3.ie - ICSG 2024

25. Awareness (2) Some cloud vendors explain this in their official

    docs A minority, but they exist † The wording can be vague Copyright (c) https://gr3.ie - ICSG 2024 † "ICMP response traffic, such as "ICMP TYPE 3, DESTINATION UNREACHABLE", generated in response to an allowed TCP/UDP connection is allowed through the firewall. This behavior is consistent with RFC 792." https://cloud.google.com/firewall/docs/firewalls

26. Awareness (3) Across the IT industry: Most find this counterintuitive

    Modern engineers may lack iptables experience Common among network specialists: "Blocking all ICMP caused TCP to stop working" Copyright (c) https://gr3.ie - ICSG 2024

27. Does This Happen With Your Firewall? With Linux iptables: #

    Allow new connections (e.g., TCP/80) iptables -A INPUT -i eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow response packets iptables -A OUTPUT -o eth1 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # Allow related ICMP packets <==== This line iptables -A INPUT -i eth1 -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT Copyright (c) https://gr3.ie - ICSG 2024

28. Points to Note Rumor has it, an executive expressed anger

    (just a rumor!) While pranks are possible... (details later) Beware of security consultants If they tell you to block all ICMP, be cautious Copyright (c) https://gr3.ie - ICSG 2024

29. Summary 1. ICMP TYPE 3 & Code X Penetrates stateful

    firewalls provided by cloud vendors Only when another connection is already established It's for error reporting but allows custom byte data 2. Basic knowledge: Not only important but exciting! This slide is just explaining classic TCP/IP behavior in a new way Cloud vendor configurations are a black box So foundational knowledge becomes even more important Copyright (c) https://gr3.ie - ICSG 2024

30. Thank You! Software Design Dec 2024 "Shell Script Basics and

    Pitfalls" Chapter 3 About 10 pages https://gihyo.jp/magazine/SD/archive/2024/202412 Copyright (c) https://gr3.ie - ICSG 2024