Enumerating Firewall

This is done via powershell. IF we happen to have command execution somehow we would be able to see which ports can be accessed.

’ll use the fact that I can see results from commands run to look at the firewall using Get-NetFirewallRule. Just giving this command -All will return a ton of stuff, so I’ll limit with the following arguments (based on the docs):

-Direction Outbound - limit to outbound rules since that’s where I’m having issues
-Action Block - limit to rules that block traffic
-Enabled True - don’t show the large set of rules that are present but not enabled

This returns a single result:

C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\0xdf's job>powershell -c Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block 

Name                  : {D6399A8B-5E04-458F-AA68-62F64A4F1F43}
DisplayName           : BlockOutboundDC
Description           : 
DisplayGroup          : 
Group                 : 
Enabled               : True
Profile               : Any
Platform              : {}
Direction             : Outbound
Action                : Block
EdgeTraversalPolicy   : Block
LooseSourceMapping    : False
LocalOnlyMapping      : False
Owner                 : 
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     : NotApplicable
PolicyStoreSource     : PersistentStore
PolicyStoreSourceType : Local


C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\0xdf's job>exit 0 
Finished: SUCCESS

The name implies it’s blocking outbound, but I can see the actual ports by piping this result into Get-NetFirewallPortFilter. This post has a nice bit of code at the bottom which I’ll tweak a bit to print what I want:

powershell -c "Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block |
Format-Table -Property 
DisplayName, 
@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},
Enabled,
Profile,
Direction,
Action"

I’ll have to remove the newlines to get it to work in Jenkins, and make sure the entire PowerShell command is in "". When I run this thought Jenkins it returns:

C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test>powershell -c "Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property DisplayName,@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},@{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}}, Enabled, Profile,Direction,Action" 

DisplayName     Protocol LocalPort RemotePort RemoteAddress Enabled Profile Direction Action
-----------     -------- --------- ---------- ------------- ------- ------- --------- ------
BlockOutboundDC TCP      Any       Any        Any              True     Any  Outbound  Block

This rule is blocking all outbound TCP.

Previous.net binaries NextPrivilege Escalation

Last updated 2 years ago