Firewall Evasion
These are common techniques used to evade firewall that blocks your reconnaissance.
In most cases, the main firewall is placed in the demilitarized zone ( DMZ). Some select additional firewalls closer to the business’s intranet and/or their industrial supervisory control and data acquisition (SCADA) may also exist.
Detection
Usually, the presence of a firewall is detected when Nmap shows some ports as filtered, but a lot of times we might face different scenarios in which the scan speed is suddenly dropped or previously live hosts are not detected as "up" in another host discovery scan.
All of these are indicators of a change in the packet routes or target host behavior.
Although firewall testing is not a complicated topic, the testing scenarios can be endless depending on the firewall type and configurations.
Policy/Rule Test
Hping3
A great tool for packet crafting and generating custom traffic for testing firewall rules and anti-DoS systems.
Testing ICMP: In this example hping3 will behave like a normal ping utility, sending ICMP-echo und receiving ICMP-reply
Traceroute using ICMP: This example is similar to famous utilities like tracert (windows) or traceroute (linux) who uses ICMP packets increasing every time in 1 its TTL value.
We can also use the traceroute command to perform traceroute with different methods, protocols and ports. check this section for traceroute techniques.
Checking port: Here hping3 will send a Syn packet to a specified port (80 in our example). We can control also from which local port will start the scan (5050).
Other types of ICMP: This example sends a ICMP address mask request ( Type 17 ).
For testing other ICMP types check out the ICMP protocol section.
Other types of Port Scanning: First type we will try is the FIN scan. In a TCP connection the FIN flag is used to start the connection closing routine. If we do not receive a reply, that means the port is open. Normally firewalls send a RST+ACK packet back to signal that the port is closed.
Ack Scan: This scan can be used to see if a host is alive (when Ping is blocked for example). This should send a RST response back if the port is open.
Xmas Scan: This scan sets the sequence number to zero and set the URG + PSH + FIN flags in the packet. If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP Xmas scan, sending no reply.
Null Scan: This scan sets the sequence number to zero and have no flags set in the packet. If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP NULL scan, sending no reply.
Smurf Attack: This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.
DOS Land Attack:
Useful hping3 options:
Nmap
Fragmentation: The -f command induces our scan to deploy diminutive fragmented IP packets. Specifically, our command utilizes 16 bytes per fragment which diminishes the number of fragments.
Fragmented packets is one of them and consist in sending several tiny packets instead of one normal size packet.
You can use fragmented packets with Nmap using the "-f" option, however, nowadays most firewall and IDS detect fragmented packets.
Custom offset size : nmap --mtu command allows us to specify our own offset size. Remember that the offset size has to be a multiple of 16.
Nmap is giving the option to the user to set a specific MTU (Maximum Transmission Unit) to the packet.
This is similar to the packet fragmentation technique.
During the scan, Nmap will create packets with a size based on the number that we will give.
In this example, we gave the number 24, so the Nmap will create 24-byte packets, causing confusion to the firewall.
Keep in mind that the MTU number must be a multiple of 8 (8, 16, 24, 32, etc.).
Bad checksum: Badsum command induces the deployment of an invalid TCP/UDP/SCTP checksum for packets transmitted to our target.
As practically every host IP stack would correctly drop the packets, each response accepted is possibly originating from a firewall or Intrusion Detection System that wasn’t concerned with confirming the checksum.
Additionally, we try to use some scripts from the Nmap NSE like "firewall-bypass," but I should warn you that results from the usage of this script can be a false positive with a high percentage.
Helper bypass: This script detects a vulnerability in Netfilter and other firewalls that use helpers to dynamically open ports for protocols such as FTP and sip (in our case, we also combine it with stealth scan).
The script works by spoofing a packet from the target server asking for opening a related connection to a target port, which will be fulfilled by the firewall through the adequate protocol helper port.
The attacking machine should be on the same network segment as the firewall for this to work. The script supports FTP helper on both IPv4 and IPv6. Real path filter is used to prevent such attacks.
Avoiding signatures: add garbage data to the packets so the IPS/IDS signature is avoided.
Fire Walking
Fire walking is the method of determining the movement of a data packet from an untrusted external host to a protected internal host through a firewall. The idea behind fire walking is to determine which ports are open and whether packets with control information can pass through a packet filtering device.
Firewalk
Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass.
It works by sending out TCP or UDP packets with a TTL one hop greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message.
Otherwise, it will likely drop the packets and there will be no response.
To get the correct IP TTL that will result in packets expiring one hop beyond the gateway, Firewalk needs to ramp up hop counts.
It does this in the same manner that traceroute works.
Once the scan is bound (that is, Firewalk knows the gateway hop count), it begins the scan.
The ultimate destination host does not have to be reached, it only needs to be somewhere downstream, on the other side of the gateway, from the scanning host.
Firewalk helps in assessing the security configuration of packet filtering devices, such as those used in firewall systems. It is relevant for network security assessments, like network penetration tests (pentests).
Scan ports 8079-8081 (-S8079-8081) through the eth0 interface (-i eth0), do not resolve hostnames (-n), use TCP (-pTCP) via the gateway (192.168.1.1) against the target IP (192.168.0.1):
Port Knocking
Port-knocking the a obfuscation-as-security technique. It basically means that after knocking on ports in a specific sequence a certain port will open automatically.
It seems to be more popular in Capture-the-flag contests than real life networks. But I have included it anyways, since CTFs are great.
This is a way to hide certain ports, so you don't get unwanted intrusion-intents.
When you "knock" on a port you are really just sending TCP-packets with SYN-flag to that port. The closed port will then respond with a ACK/RST.
Which basically means that the host has received the TCP-packet, and it Acknowledge it, but responds with a Reset (RST) flag. RST just means that the port is closed.
Knock
Rescan the system to see if any ports are now open, try to connect to new ports:
Nmap
Netcat
NAT Slipstreaming
NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim’s NAT/firewall, just by the victim visiting a website
Bypassing by DNS History
This script will search for old DNS A records and check if the server replies for that domain
