{"id":18011083,"url":"https://github.com/regit/opensvp","last_synced_at":"2025-08-30T09:08:49.238Z","repository":{"id":3480103,"uuid":"4535503","full_name":"regit/opensvp","owner":"regit","description":"Opensvp is a security tool implementing \"attacks\" to be able to test the resistance of firewall to protocol level attack.","archived":false,"fork":false,"pushed_at":"2017-02-20T20:48:25.000Z","size":47,"stargazers_count":48,"open_issues_count":0,"forks_count":7,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-21T23:34:09.116Z","etag":null,"topics":["netfilter","network","python","scapy","security","testing"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/regit.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2012-06-03T07:15:25.000Z","updated_at":"2024-08-12T19:21:07.000Z","dependencies_parsed_at":"2022-09-07T10:20:27.303Z","dependency_job_id":null,"html_url":"https://github.com/regit/opensvp","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/regit%2Fopensvp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/regit%2Fopensvp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/regit%2Fopensvp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/regit%2Fopensvp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/regit","download_url":"https://codeload.github.com/regit/opensvp/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245670991,"owners_count":20653465,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["netfilter","network","python","scapy","security","testing"],"created_at":"2024-10-30T02:16:22.847Z","updated_at":"2025-03-26T14:32:26.413Z","avatar_url":"https://github.com/regit.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"=======\nOpensvp\n=======\n\nIntroduction\n============\n\nOpensvp is a security tool implementing \"attacks\" to be able to test\nthe resistance of firewall to protocol level attack. It implements\nclassic attacks as well as some new kind of attacks against application\nlayer gateway (called helper in the Netfilter world).\n\nFor example, opensvp is able under some conditions (see explanation\nbelow for details) to open a pin hole in a firewall protecting a\nftp server: even if the filtering policy garantee that only the 21\nport is open to the server, you can open 'any' port on the server\nby using opensvp.\n\nLets have 192.168.2.3 a server running ftp, placed behind a firewall.\nIf the user, as root, runs::\n\n opensvp --attacker -t 192.168.2.3 --helper ftp --port 23 -v -i eth0\n\nThen he will have a temporary access on port 23 of the server independantly\nof the firewall rules.\n\nThe document \"Secure use of iptables and connection tracking helpers\" \nhttps://home.regit.org/netfilter-en/secure-use-of-helpers/ describe\nthe protection method against this type of attack.\n\nImplemented attacks\n===================\n\nSpoofed attack on helpers\n-------------------------\n\nSee the following chapter for a precise description of the implemented attack.\n\nBeing on a network directly connected to the firewall via the eth0 interface,\nthe attacker can run the following command ::\n\n opensvp --attacker -t 192.168.2.3 --helper ftp --port 23 -v -i eth0\n\n192.168.2.3 is the address of the FTP server and 23 is the port we want to\nopen on the server.\n\nIt is then possible to connect to 192.168.2.3 on port 23 after a successful\nattack.\n\nAbusive usage of helpers\n------------------------\n\nIt is possible for a client to send a forged command message which is interpreted\nas possible dynamic connection opening by the firewalls.\n\nIt is possible to use a standard server to send the attack but with a custom server\nyou will know the transformation made by the possible NAT gateway.\n\nA typical session is the following. On the server which has IP address 1.2.3.4, you\ncan run ::\n\n $ opensvp --server --helper irc -v\n\nOn the client, you can then run ::\n\n $ opensvp --client -t 1.2.3.4 --helper irc --port 23 -v\n 2.3.4.5:23 should be opened from outside\n\nOn the server, the following message is displayed ::\n\n You should be able to connect to 2.3.4.5:23\n\nHere 2.3.4.5 is the public address of the client.\n\nTTL attack on DPI solution\n--------------------------\n\nOn the attacker, you need to start the opensvp and indicate what is the used\nNetfilter queue and what is the output interface ::\n\n # opensvp -n -q 0 -i eth1\n\nYou then need to use iptables to userspace the trafic you want to hide to protocol\nrecognition mechanism ::\n\n iptables -I INPUT -p tcp --sport 443 -j NFQUEUE\n iptables -I OUTPUT -p tcp --dport 443 -j NFQUEUE\n\nWhen you're done, press CTRL+C to interrupt the attack process.\n\nDescription of the attack against helper\n========================================\nPrinciple\n---------\n\nSome network protocols are using multiple connections  for the exchange\nbetween a client and a server. The most known example is ftp where command\ngoes through a connection on port 21 and where data exchange are done with\ntwo different mode (connection from port 20 or dynamic connection).\n\nSome firewall implementation implement application layer gateway (ALG) to be\nable to detect this parallel connection and be able to autorize them dynamically.\nOther solutions are to use application relay (transparent proxy) or to open\nall the possible flow (read almost everything).\n\nThe ALG analyse the traffic and detect and parse the command sent between the\npeers to declare the parameters of the parallel connections. Once done they\nopen temporary pin hole in the firewall to let the probable traffic goes through.\n\nThe idea of this attack is to forge this type of messages to open pin hole in\nthe firewall but pin hole that should not have been open.\n\n\nCondition:\n * Attacker computer is on a network directly connected to the firewall.\n * Firewall is sensible to the attack (for example, Netfilter with rp_filter\n   set to 0)\n * Attacker is able to sniff data packet (or by pcap sniffing or by running\n   himself a data connection)\n\nThe cinematic is the following :\n 1. Sniffer on the attacker network capture one packet from the protocol flow\n\n     * it reverse the ethernet dst and src\n     * it increase id in IP and seq for TCP\n     * it set payload to the wanted command (with selected\n       port)\n\n 2. The forged packet is sent on the interface connected to the firewall\n 3. Firewall transmit the packet back to the client and is now expecting\n    a packet with caracteristic based on attacker input\n\nAttacking IRC\n-------------\n\nThis attack is a direct application of the described principle. Once data packet\nis received, the attacker send a forged DCC command.\n\nAttacking FTP\n-------------\n\nIn this attack, the client connection is open by the attacker. He connect to the\nftp server behind a firewall and initiate a real connection. Once the session is\nsetup, he launch the attack by sending a forged 227 command.\n\nIf IPv6 is used, the same attack is done with a forged 229 command.\n\nImpact of the attack\n--------------------\nPossible target\n~~~~~~~~~~~~~~~\n\nThe main contraint about these attack is that the attacker has to be on a network\ndirectly connected to the firewall.\n\nThus, the main possibilities are:\n * Attack from a user LAN\n * Attack in a hosting farm\n\nBoth case can lead to severe information exposure by giving the attacker access to\nunprotected services.\n\nLinux\n~~~~~\n\nThis attack is known to work on IPv4 Netfilter firewall if rp_filter is set to\n0 (this is hopefully not the default value).\n\nThere is currently no reverse path filtering implementation for IPv6, the firewall\nis thus not protected and the protection has to be setup in the firewall rules (see\nnext chapter).\n\nSome firewall software are known to be vulnerable:\n * fwbuilder: a specific policy has to be set up\n * shorewall: recent version fix the issue\n * edenwall: vulnerable\n\nThe attack works for both gateway and local firewall. On a local firewall, FORWARD\nfiltering has to be activated and a ESTABLISHED ACCEPT rules has to be set up on\nthis chain. This could be the case of system running virtual machine.\n\nDefense against the attack\n==========================\nLinux\n-----\n\nSee the following document which is dedicated to the subject: https://home.regit.org/netfilter-en/secure-use-of-helpers/\n\nOther OS and devices\n--------------------\n\nThe basic requirement is to activate strict anti-spoofing and to control the loading of ALG is possible.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fregit%2Fopensvp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fregit%2Fopensvp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fregit%2Fopensvp/lists"}