[ale] how can a firewalled PC POSSIBLY be attacked?

David Tomaschik david at systemoverlord.com
Wed Jan 23 12:57:28 EST 2013 

On Wed, Jan 23, 2013 at 8:08 AM, Ron Frazier (ALE) <
atllinuxenthinfo at techstarship.com> wrote:

> Hi all,
>
> I appreciate all who've responded to this to shed a little light on it for
> me.  It's very complex, and each answer seems to open up new questions.  I
> guess I'll have to review the OSI model that I learned about years ago and
> look at some of the low level protocols.
>
> Tell me if the following are true.  Assume I'm at my home network.  Even
> though it's more complex than this, say I had one wifi router with 4 port
> switch connected to the cable modem.  Suppose I wanted to run wireshark to
> monitor things.  All PC's, tablets, dvr's, etc are attached via wifi.  The
> printer is attached to the 4 port switch using a wire.
>
> * If I attach my laptop to the switch with a wire and run wireshark, I
> would see only the traffic to / from my pc's ip address and nothing else,
> except for broadcast traffic like ARP, etc, and then only what the switch
> is programmed to forward.  I would not, for example, see traffic destined
> for the printer unless I'm sending it.
>

It's actually all traffic destined to your PC's MAC address and the
broadcast MAC (FF:FF:FF:FF:FF:FF).  Switches are Layer 2 devices, they
don't know about IP.  (Yes, some devices are branded as "Layer 3 switches",
but it's unlikely that you have one of those in your house.)


>
> * If my laptop is attached via wifi, then wireshark will see everything
> ANY PC on the same wifi ssid is sending or receiving, including traffic to
> / from the printer or to / from the internet.
>

Yes, but it's not straightforward.  With WEP or unecrypted wifi, it's just
as easy as running Wireshark -- all packets are visible to all clients.
With WPA-PSK, there's a per-client, per-session key, but if you have the
PSK, you can derive the client and session keys *IF* you captured the
handshake: http://wiki.wireshark.org/HowToDecrypt802.11  With WPA
Enterprise (802.1x) the keys are derived more securely, and you'd need
access to the keystore to decrypt other client's packets.


>
> * The only way to monitor everything on the network would be to attach a
> HUB to the cable modem, attach wireshark to the hub with a wire, then
> attach the wifi router to another port on the hub.  But, no, then I'd only
> see traffic to / from the internet.  Traffic routed solely by the wifi
> router, between devices, or to the printer, would not be seen.  Also, the
> PC would be directly exposed to the internet and would be in potential
> danger.
>

You could also use a PC with 2 NICs in bridging mode, but you still need to
be between the two machines whose traffic you want to see.  If you have a
nice router (or use something like OpenWRT/DD-WRT) you might be able to put
one NIC port into "mirror" or "monitor" mode where the switch copies all
packets to that port.  Something like this works:
http://www.myopenrouter.com/article/10917/Port-Mirroring-Span-Port-Monitor-Port-with-iptables-on-NETGEAR-WGR614L/
(Actually uses iptables rather than the built-in switch, but the concept is
the same.)


>
> * What I'm getting from the prior discussion about firewalls is that, if
> any packets come into the NIC, and it triggers an interrupt presumably,
> then certain parts of the system software, the tcp/ip stack, are triggered
> to deal with the packet even if it's a low level protocol like ARP.  Higher
> level software in the system, like the firewall, doesn't even see it, and
> can't filter it.  However, vulnerabilities may exist even at that low level
> that could allow the PC to be compromised.
>

Yes, every packet not dropped by the NIC will be processed in some fashion,
generally by at least the Ethernet/Wifi stack and the firewall code itself.


>
> * Regarding what Windows or Mac does, you COULD disassemble the
> executables in the networking stack to see what happens, although it would
> be incredibly tedious and complicated and time consuming to do so.
>
> By the way, I think it's a stretch to say no Windows PC is safe (enough)
> on the internet.  Even if 1/3 are infected, as stated on the Going Linux
> podcast, which is truly horrible if true, then the other 2/3 are not
> infected, which amounts to about 700 million users.  And, most of those are
> probably not even configured properly for maximum safety.
>
> I do all the following on my PC's, whether Windows or Linux as applicable.
>  I think I'm fairly safe.  I'm sure I could always do better.  If you think
> I'm missing something critical, let me know.  I will admit that very few
> users have done all these things, thus, they are more vulnerable.
>
> <snip>
>
> Well, that's all I can think of at the moment.  Hopefully, that's enough.
>  Did someone say I wasn't paranoid enough.
>
> I'm more concerned when I'm in a restaurant or something, since I don't
> have control over their router.  I'm sure there is a nat firewall.
>  However, I'm still on the same lan as everyone else on the wifi.  The only
> thing I know to do there, other than what I've already done to the pc, is
> to crank up hotspot vpn, which I have a subscription to.  At the moment, I
> know how to do that in Windows, but not in Linux.
>
> It would be interesting to know if the wifi nic responds to any local lan
> traffic once the vpn is up.
>

Sure it will.  It will still process packets.  After all, it doesn't "know"
anything about a VPN.


>
> Sincerely,
>
> Ron




-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130123/ade55385/attachment-0001.html>

More information about the Ale mailing list