Modification of Pktfilter tool Brad Baker CS 591

  • Slides: 11
Download presentation
Modification of Pktfilter tool Brad Baker CS 591 Spring 2007 Term project 3/12/2021 Pktfilter

Modification of Pktfilter tool Brad Baker CS 591 Spring 2007 Term project 3/12/2021 Pktfilter modification - Brad Baker 1

The Pktfilter tool Open source project listed on sourceforge (http: //sourceforge. net/projects/pktfilter/) Developed by

The Pktfilter tool Open source project listed on sourceforge (http: //sourceforge. net/projects/pktfilter/) Developed by Jean-Baptiste Marchand, project inactive since February 2003 Uses the Win 32 filtering API (Windows 2000 packet filtering) Runs as a service, configures filtering API on start Provides command line utility Pktfilter modification - Brad Baker 3/12/2021 2

Pktfilter basics Filtering is controlled through a rules file Rules define a default action,

Pktfilter basics Filtering is controlled through a rules file Rules define a default action, then exceptions • For example, block everything then pass each allowed connection • Rule mixing isn't allowed, you can't block a connection after you have created a pass exception Example of rule setup: • • block in on eth 0 all block out on eth 0 all pass out on eth 0 proto tcp from any to 128. 198. 1. 212 port = 80 pass in on eth 0 proto tcp from 128. 198. 1. 212 port = 80 to 192. 168. 1. 100 Rules require numeric IP addresses Rules can specify ports and ranges, protocols, and use the “any” keyword. Pktfilter modification - Brad Baker 3/12/2021 3

Pktfiler Usage Installation is a manual process Copy the Pktfilter folder to program files

Pktfiler Usage Installation is a manual process Copy the Pktfilter folder to program files or the desired directory From command prompt, run “pktfltsrv. exe -i” followed by the path to three files • Rules file, log file, DNS log file • This command installs as service Configure service to run automatically Configure the rules file as desired • Restrict access to the rules file Pktfilter modification - Brad Baker 3/12/2021 4

My project goals In order of priority: • Research why the tool doesn't work

My project goals In order of priority: • Research why the tool doesn't work on Windows Vista and Windows XP x 64 version • Research and include rule mixing For example, after creating an exception for HTTP we would like to block a specific website • Research and fix the logging problem • Research and implement performing DNS IP resolution from the rules file • Research and implement localhost IP resolution Pktfilter modification - Brad Baker 3/12/2021 5

Goal #1 – Windows Vista & x 64 Windows Vista doesn't include this API

Goal #1 – Windows Vista & x 64 Windows Vista doesn't include this API The “Windows Filtering Platform” replaces the packet filtering API WFP is a much more robust filtering solution WFP allows application based filtering, boot time filtering, and packet inspection Moving Pktfilter to x 64 just requires building with the correct platform Conclusion: Save WFP for future, x 64 was success Pktfilter modification - Brad Baker 3/12/2021 6

Goals #2/#3 – Mixing & Logging Mixing is not possible based on the design

Goals #2/#3 – Mixing & Logging Mixing is not possible based on the design of the underlying API The filtering engine is specifically designed to provide only the default and exception actions Logging works with a fresh Windows XP installation Changes to iphlpapi. dll in Service Pack 1 broke the logging function Conclusion: Mixing and logging aren't possible due to larger system issues Pktfilter modification - Brad Baker 3/12/2021 7

Goals #4/#5 – IP resolution Modified program to use brackets for DNS lookup “[www.

Goals #4/#5 – IP resolution Modified program to use brackets for DNS lookup “[www. uccs. edu]” Modified program to use “me” keyword for localhost lookup Looked at several DNS query methods First used: Dns. Query_A() in <Windns. h> Then used: gethostbyname() in <winsock 2. h> Finally: getaddrinfo() in <winsock 2. h> Tool Produces a log file to document translation Pktfilter modification - Brad Baker 3/12/2021 8

Example of IP resolution Log file output: --------------------------Begin rule file parsing, GMT: 2007 -05

Example of IP resolution Log file output: --------------------------Begin rule file parsing, GMT: 2007 -05 -06 04: 43: 25 > local 'me' symbol resolved : ( 192. 168. 1. 100 > Remote DNS lookup resolved : ( 66. 35. 250. 150 > Remote DNS lookup resolved : ( 209. 131. 36. 158 > Remote DNS lookup FAILED : ( > Remote DNS lookup resolved : ( 128. 198. 1. 212 > Remote DNS lookup resolved : ( 72. 14. 253. 147 END, GMT: 2007 -05 -06 04: 43: 30 : : : : artos ) slashdot. org ) www. yahoo. com ) test. my. blah ) http: //www. crh. noaa. gov/fo) www. uccs. edu ) www. google. com ) Corresponding input configuration: # input rule 1: rule 2: rule 3: rule 4: rule 5: rule 6: rule 7: rule 8: rules pass in pass in on on eth 0 proto eth 0 proto udp tcp tcp tcp udp from from any port = 53 to any 66. 35. 250. 150 port = 80 to 192. 168. 1. 100 209. 131. 36. 158 port = 80 to 192. 168. 1. 100 127. 0. 0. 1 port = 80 to 192. 168. 1. 100 128. 198. 1. 212 port = 80 to 192. 168. 1. 100 72. 14. 253. 104 port = 80 to 192. 168. 1. 100 any port = 67 to any port = 68 Pktfilter modification - Brad Baker 3/12/2021 9

Summary The tool will remain effective until Windows Vista is a common platform Several

Summary The tool will remain effective until Windows Vista is a common platform Several goals were not met, however the IP resolution will provide a benefit Protected the application from long URLs and blank URLs • The rules file won't compromise the filtering configuration Future enhancements can involve port information, fixing DNS timeout, etc Security concerns with relying on DNS query • For example, the current Windows DNS server bug Pktfilter modification - Brad Baker 3/12/2021 10

References Original Pktfilter project source • http: //sourceforge. net/projects/pktfilter/ Information about filtering API •

References Original Pktfilter project source • http: //sourceforge. net/projects/pktfilter/ Information about filtering API • http: //www. ndis. com/papers/winpktfilter. htm • http: //www. library. uow. edu. au/adt-NWU/uploads/approved/adt- NWU 20041108. 142435/public/02 Whole. pdf WFP summaries • http: //www. microsoft. com/whdc/device/network/WFP. mspx • http: //msdn 2. microsoft. com/en-us/library/aa 363967. aspx DNS lookup information • http: //msdn 2. microsoft. com/en-us/library/ms 738524. aspx • http: //msdn 2. microsoft. com/en-us/library/ms 738520. aspx Pf. Create. Interface, references other filtering API functions • http: //msdn 2. microsoft. com/en-gb/library/aa 376646. aspx Pktfilter modification - Brad Baker 3/12/2021 11