Outbound Filtering

14th June 2019

Uncategorised

Outbound Port filtering is a simple method to prevent users from accidentally giving away their credentials.

Scenario:
BadGuy sends a phishing email including a link to an internet server owned by BadGuy.
User in your network is fooled into clicking on the link which is in the format \\server.LooksLikeMyDomain.NotReally\ShareName
the users computer gladly reaches outside your network, onto the internet and tries to authenticate
BadServerSays: I need to authenticate you, whats your password
TrustingComputerSays: This is my password, Am I authenticated?
BadServerSays: Why yes, thanks for giving me your password, SUCKER!

Someone is going to “correct” me and say that its a password HASH that gets sent, but since the BadGuy controls the server he can ask the user to hash an empty string.

The easy solution is to block the ports that make this possible. This won’t affect internal authentication as that doesn’t go through a firewall.

You can test if you are vulnerable by clicking the links below. (this is a test only and doesn’t give away any credentials) If you are vulnerable a webpage will be displayed titled “Outgoing port tester”
http://portquiz.net:135/
http://portquiz.net:137/
http://portquiz.net:139/

The browser test is blocked in Firefox, Partially in Chrome
But works great in M$ Edge or IE (you’re not still using IE, right?)
The portquiz page gives some alternate methods of testing.

How to fix; put a rule in your firewall that blocks tcp ports 135-139 outbound. This process will be different for each manufacturer. Pfsense process is here

DNS port 53 is also commonly used to ex-filtrate data out of a compromised network. I recommend filtering UDP 53 and only allowing a pre-defined list of DNS servers.

I manage a lot of Fortigate firewalls so i have some rules I paste into the CLI

config firewall address
edit “DNS_Fortinet1”
set subnet 96.45.45.45 255.255.255.255
next
edit “DNS_Fortinet2”
set subnet 96.45.46.46 255.255.255.255
next
edit “DNS_Cisco1”
set subnet 208.67.222.222 255.255.255.255
next
edit “DNS_Cisco2”
set subnet 208.67.220.220 255.255.255.255
next
edit “DNS_Cloudflare1”
set subnet 1.1.1.1 255.255.255.255
next
edit “DNS_Cloudflare2”
set subnet 1.0.0.1 255.255.255.255
next
edit “DNS_Google2”
set subnet 8.8.4.4 255.255.255.255
next
edit “DNS_Google1”
set subnet 8.8.8.8 255.255.255.255
next
edit “DNS_Quad91”
set subnet 9.9.9.9 255.255.255.255
next
edit “DNS_Quad92”
set subnet 149.112.112.112 255.255.255.255
next
edit “DNS_cira1”
set subnet 149.112.121.20 255.255.255.255
next
edit “DNS_cira2”
set subnet 149.112.122.20 255.255.255.255
next
edit “DNS_8x8_1”
set subnet 8.28.0.9 255.255.255.255
next
edit “DNS_8x8_2”
set subnet 192.84.18.11 255.255.255.255
next

edit “DNS_Approved”
set member “DNS_Cisco1” “DNS_Cisco2” “DNS_Cloudflare1” “DNS_Cloudflare2” “DNS_Fortinet1” “DNS_Fortinet2” “DNS_Google1” “DNS_Google2” “DNS_Quad91” “DNS_Quad92” “DNS_cira1” “DNS_cira2” “DNS_8x8_1” “DNS_8x8_2”
set color 3
next