Someone scanned ports while vpn'ed

taktsoi

Usually, when i have my coffee break, i will go to starbucks. I use my laptop to check the internet-related stuffs, like email, weather, home servers' stuffs, etc. I always use the FREE internet at starbucks, which is provided by access points from some people who dont' set up properly. Those are open, free, and no need to use any keys at all.

Today, i was having my coffee break at starbucks. However, I believe some one was trying to sniff the traffic when I vpn'ed.

While I was having my coffee break, I initiated VPN (PPTP) to connect to my ISA box, which is the edge firewall. However, my ISA box warned me that there was ALL PORTS SCAN detected around the time after I vpn'ed.

I checked the log from ISA box, which details that the all scan port was initialized from 192.168.1.2 and my ip from free wireless is dhcp'ed 192.168.1.115. so we are on the same subnet.

How the hell can 192.168.1.2 initiate all ports scan after I vpn'ed? Sorry if i ask this question, I understand that when you wanna scan ports over the internet, you must use public ip, rite? but my case is that the initial port scan was on a class C, which is the same Ip range i got from free internet. and when you vpn to another location, the traffic is encrypted to both end, so how the hell can a 192.168.1.2 do a port scan to my ISA? and my private range is class A 10.x.x.x. mm....i m scratching my head to see what configurations i oversight....or anything I should be aware of....

any suggestions for me?????

thanks

mgeorge

I'm not forsure if you have a domain setup in your house but pptp is definately not the tunneling protocol of choice.

use L2TP with IPSec and also use certificate authentication or smartcard authentication if you use a dell latitude D series, these models have build in smart card readers

Also if you have an apple, a new patch was just released to patch a wifi hole.

As for the port scan, check to see if you have any malware, trojans, worms etc.. w/e make sure you do not have routing services running as well as ICS.

Also elaborate on the port scan, was this scan done on an internal ip address 10.x.x.x by a 192.168.1.x ?

Ahriakin

It was a spoofed address, 192.168.1.2 is the single most likely private address to yield a result on an improperly configured firewall. I doubt it had anything to do with you or the network you were on (even if it was someone on that same network their address would have been NAT'd just like yours when it left the private network for the internet).

binarysoul

Maybe I missed something, but did you connect to your work's production firewall from a free un-managed Starbucks wireless connection?????

I'm pretty sure the answer is no. If the answer is yes, ummmm then be ready for some criticism from me and others

taktsoi

binarysoul wrote:

Maybe I missed something, but did you connect to your work's production firewall from a free un-managed Starbucks wireless connection?????

I'm pretty sure the answer is no. If the answer is yes, ummmm then be ready for some criticism from me and others

This is just my home network that uses ISA as a edge firewall. I m testing it for my certification road. You think that I am a idiot that connects to a work place using a free internet like this? I will do it if i m looking for a let-go.

Getting back to the story, I understand what spoof address is. However, what i completely don understand is that how the one uses a spoof address to initiate the attack over the WAN but shows a private address. Let see this below first.

Network A < - > Network B
In order to connect between two networks (network A & network , I must use a VPN tunnel. this is a tunnel where it connects both networks together.

Computer A - > Network B VPN Server
If I am using computer A trying to connect Network B, I use a VPN to connect to network B. The computer A is the VPN client and Network B VPN Server is the VPN END-POINT.

Regardless what VPN method to use (pptp or l2tp), a tunnel where it connects computer A to network B is still ENCRYPTED. Here is what I get confused.

Computer A - > Network B VPN Server
Hack x

---

>

How can one initiate spoofing without connecting a vpn first? Let's say, If i wanna do a port scanning on your web server, my IP gotta be a public one coz i do it over internet unless everything is local. However, in this case, i found very strange that i m the vpn client and the guy who spoofs was trying to modify the packet header that is just like mine and make it like he also attempts to connect like a vpn.

Is there any way to spoof a pptp like this, even in a client-server tunnel? mm....

mgeorge

When you connect via VPN you are initiating another interface. Therefore your laptop would have 2 interfaces, the starbucks with a 192.168.1.x network ip and your private ip.

If your laptop was used as a router to connect to your internal network then the source add would have been 192.168.1.2 (from your laptops public network)

Its likely that the ip was not spoofed at all since the ip address supposevely being spoofed is a non routable ip except on private networks (that of which your laptop wa a part of)

So to answer your question, yes it can be done if your laptop is setup to route from one interface to another; public to vpn vice versa. This is why i initially asked if you have routing services enabled.

taktsoi

mgeorge27 wrote:

When you connect via VPN you are initiating another interface. Therefore your laptop would have 2 interfaces, the starbucks with a 192.168.1.x network ip and your private ip.

If your laptop was used as a router to connect to your internal network then the source add would have been 192.168.1.2 (from your laptops public network)

Its likely that the ip was not spoofed at all since the ip address supposevely being spoofed is a non routable ip except on private networks (that of which your laptop wa a part of)

So to answer your question, yes it can be done if your laptop is setup to route from one interface to another; public to vpn vice versa. This is why i initially asked if you have routing services enabled.

I just checked my laptop and confirmed that none of the routing service is not enabled. mm..... what gives...

mgeorge

Go back to that starbucks and see if you can replicate the issue.

I'm sure if someone hacks regulary there, you'll can catch them real easy with a few handy tools.

Also you should talk to the store manager and request that the wifi access point have Client Isolation enabled so wifi users cannot communicate with other wifi users, which ensures guest user wireless security.

sprkymrk

If you were using a split tunnel, as opposed to a global tunnel, you were indeed routing packets on your laptop. Your laptop became a dual-homed computer when you initiated a split tunnel.

However, what's more likely is that your ISA server wrongly identified some of the stuff going on at Starbuck's (if you're computer was using a split tunnel) as a port scan. Your laptop was probably doing a bunch of netbios stuff with the other computers on the starbuck network. ISA is very prone to false positives in this regard.

Ahriakin

Guys I think you have missed the point and probability of using Private addresses in a spoofed attack from the internet. No it shouldn't happen, but yes it does. Private subnets shouldn't be routable on the net but that is not written in stone, badly configured routers/carefully manipulated IP packets can do the trick, that's why you are urged to implement Ingress (and ideally Egress) filtering of your private subnets even though the protection is already implied. Do a google for RFC+Ingress Filtering+Spoofing for more info.
An attack via split tunneling is possible as Mr. Sprky said, if you were not firewalled aswell and I wouldn't rule it out (and definitely disable it if you do have it turned on). But using Occam's razor and the fact that spoof attacks happen regularly I'd still go with it being the cause. I see them all the time on our central/busiest PIX, private address/bogon nets etc. Set your firewall to alert you whenever it sees private ranges on the external interface and you'll be surprised.

taktsoi

sprkymrk wrote:

If you were using a split tunnel, as opposed to a global tunnel, you were indeed routing packets on your laptop. Your laptop became a dual-homed computer when you initiated a split tunnel.

HI mark, long time to talk. how are you doing?
Yes, you are rite, it is indeed that i was using a split tunnel bcoz i have the "use default gateway" uncheck in the dialup property. It is indeed routing the packets. Shoooooot..........
Found the article from isaserver.org
http://www.isaserver.org/tutorials/2004fixipsectunnel.html
"Split tunneling is enabled on the Microsoft VPN client by removing the checkmark in the VPN client’s Networking Properties dialog box for the Use default gateway on remote network setting. Note that Microsoft uses this as the default configuration, as they realize the security concerns involved with split tunneling."

ISA is very prone to false positives in this regard.

Yes although ISA is prone to false positive, is there a real alert sometimes?????

mm............

Ahriakin

Breaking the razor makes baby Occam cry :P

sprkymrk

Regarding spoofed ip's using private ranges - even if a whole slew of misconfigured routers were allowing a private IP through to a public host IP to perform a scan, the results would not make it back to the attacker in most cases, unless the attack was only one or two hops away. Unless a more sophisticated attack were under way, in which case a loud "all port scan" would most likely not be the logical choice of the attacker.

I still suspect a false positive. The ISA was probably seeing all the netbios traffic at Starbucks.