IPSec filters used by Windows 2000 & XP

Hi folks,
??? As a result of a recent engagement looking at Windows Host hardening, I came
Using SS this little trick and thought it might be useful at some point. The MICR
Osoft IPSec filters used by window 2000 & XP can be bypassed by choosing a sour
Ce port of 88 (Kerberos ).

First off, Microsoft themselves state that IPsec filters are not designed as a f
Ull featured host based firewall [1] and it is already known that certain types
Of traffic are exempt from IPSec filters [2] and they can be summarised:

* Broadcast
* Multicast
* RSVP
* Ike
* Kerberos

In a Microsoft support Note [2] There is the line:
"The Kerberos exemption is basically this: if a packet is TCP or UDP and has a s
Ource or destination port = 88, permit ."

The test host here has a "block all" rule created using:

Ipsecpol.exe-X-W reg-P "The Black Knight"-R "noneshallpass"-N block-F
0 = *::*

Normal Nmap scan:

# NMAP-SS-V-P0 -- initial_rtt_timeout 10 -- max_rtt_timeout 20 172.25.0.14

Starting NMAP 3.50 (http://www.insecure.org/nmap/) at BST hos
T 172.25.0.14 appears to be up... Good. Initiating SYN stealth scan against 172
. 25.0.14 at the SYN stealth scan took 7 seconds to scan 1659 ports. intere
Sting ports on 172.25.0.14: (The 1658 ports scanned but not shown below are in S
TATE: filtered)
Port ?? State? Service
88/tcp closed Kerberos-Sec

NMAP run completed -- 1 IP address (1 host up) scanned in 7.017 seconds

Port 88 closed is the hint, NMAP again using this source port:

# NMAP-SS-V-P0-G 88 -- initial_rtt_timeout 10 -- max_rtt_timeout 20 172.25.
0.14

Starting NMAP 3.50 (http://www.insecure.org/nmap/) at BST hos
T 172.25.0.14 appears to be up... Good. Initiating SYN stealth scan against 172
. 25.0.14 at adding open port 445/tcp adding open port 135/tcp adding open
Port 139/tcp adding open port 1433/tcp adding open port 1027/tcp adding open por
T 1025/tcp the SYN stealth scan took 0 seconds to scan 1659 ports. Interesting P
Orts on 172.25.0.14: (The 1653 ports scanned but not shown below are in State: c
Losed)
Port ???? State Service
135/tcp? Open? MSRPC
139/tcp? Open? NetBIOS-SSN
445/tcp? Open? Microsoft-Ds
1025/tcp open? Nfs-or-IIS
1027/tcp open? IIS
1433/tcp open? MS-SQL-S

NMAP run completed -- 1 IP address (1 host up) scanned in 0.367 seconds

As can be seen, the IPsec filters are bypassed .?? Although not designed as
Host based firewall, IPSec filters are being used as such, particle ly to block
Popular attacked ports such as NETBIOS, CIFS and SQL, perhaps as [temporary] wo
Rm mitigation.

In Windows 2003 all of these default exemptions have been removed with the excep
Tion of Ike [1] and I believe that this may be inreceivated into earlier windows
Versions at some point.

Cheers,
??????????? Jj

[1] http://support.microsoft.com/default.aspx? SCID = KB; en-US; 810207
[2] http://support.microsoft.com/default.aspx? SCID = KB; en-US; 253169