Nessus vs. WinXP Firewall - IP forwarding question

[patrickk83]

Hello people!

After setting up some VM's (Win7x64, WinXP SP3, Debian Lenny, DVWA, Badstore Online Shop, Windows Server 2003) in VMWare I started
scanning the WinXP box (with SP3 but without latest updates). When I turn off the Windows firewall Nessus shows me a lot of vulnerabilities and
I am able to play around with metasploit and connect to the box. With firewall on I only can see that IP forwarding is enabled. NMap only shows me
that the 1000 scanned ports are filtered and OS detection also doesn't work properly.
I'm wondering if it is possible to bypass an active Windows firewall by taking advantage of IP forwarding or other methods to search for vulnerabilities.
I've been looking around for good papers or threads for hours but there was nothing useful to find.

I'm using BT5RC3 x64.

Hope you can point me to the right direction,

best regards

Patrick

[jamkomo]

Hello people!
...
scanning the WinXP box (with SP3 but without latest updates). When I turn off the Windows firewall Nessus shows me a lot of vulnerabilities and
I am able to play around with metasploit and connect to the box. With firewall on I only can see that IP forwarding is enabled. NMap only shows me
that the 1000 scanned ports are filtered and OS detection also doesn't work properly.
I'm wondering if it is possible to bypass an active Windows firewall by taking advantage of IP forwarding or other methods to search for vulnerabilities....

Patrick

Hey Patrick, maybe it's the wrong approach. If the firewall is enabled, perhaps you could "bypass" it by the knowledge that this winxp box in a "real" situation will be allowed to browse the internet. You could assume you have a user on that winxp box that may be vulnerable to social engineering. You could get them to connect to you and run metasploit's browser autopwn. If it has an less than uptodate browser with typical java etc plugins, it will likely be vulnerable to something.

Just a thought.