Firewall Evasion
Last updated
Last updated
In most cases, the main firewall is placed in the demilitarized zone ( DMZ). Some select additional firewalls closer to the businessβs intranet and/or their industrial supervisory control and data acquisition (SCADA) may also exist.
Usually, the presence of a firewall is detected when nmap shows some ports as filtered, but a lot of times we might face different scenarios in which the scan speed is suddenly dropped or previously live hosts are not detected as "up" in another host discovery scan. all of these are indicators of a change in the packet routes or target host behavior. although firewall testing is not a complicated topic, the testing scenarios can be endless depending on the firewall type and configurations.
A great tool for packet crafting and generating custom traffic for testing firewall rules and anti-DoS systems.
Testing ICMP: In this example hping3 will behave like a normal ping utility, sending ICMP-echo und receiving ICMP-reply
Traceroute using ICMP: This example is similar to famous utilities like tracert (windows) or traceroute (linux) who uses ICMP packets increasing every time in 1 its TTL value.
Checking port: Here hping3 will send a Syn packet to a specified port (80 in our example). We can control also from which local port will start the scan (5050).
Other types of ICMP: This example sends a ICMP address mask request ( Type 17 ).
Other types of Port Scanning: First type we will try is the FIN scan. In a TCP connection the FIN flag is used to start the connection closing routine. If we do not receive a reply, that means the port is open. Normally firewalls send a RST+ACK packet back to signal that the port is closed.
Ack Scan: This scan can be used to see if a host is alive (when Ping is blocked for example). This should send a RST response back if the port is open.
Xmas Scan: This scan sets the sequence number to zero and set the URG + PSH + FIN flags in the packet. If the target deviceβs TCP port is closed, the target device sends a TCP RST packet in reply. If the target deviceβs TCP port is open, the target discards the TCP Xmas scan, sending no reply.
Null Scan: This scan sets the sequence number to zero and have no flags set in the packet. If the target deviceβs TCP port is closed, the target device sends a TCP RST packet in reply. If the target deviceβs TCP port is open, the target discards the TCP NULL scan, sending no reply.
Smurf Attack: This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.
DOS Land Attack:
fragmentation : The -f command induces our scan to deploy diminutive fragmented IP packets. Specifically, our command utilizes 16 bytes per fragment which diminishes the number of fragments. Fragmented packets is one of them and consist in sending several tiny packets instead of one normal size packet.
You can use fragmented packets with Nmap using the "-f" option, however, nowadays most firewall and IDS detect fragmented packets.
custom offset size : nmap --mtu command allows us to specify our own offset size. Remember that the offset size has to be a multiple of 16.
Nmap is giving the option to the user to set a specific MTU (Maximum Transmission Unit) to the packet.
This is similar to the packet fragmentation technique.
During the scan, Nmap will create packets with a size based on the number that we will give.
In this example, we gave the number 24, so the Nmap will create 24-byte packets, causing confusion to the firewall.
Keep in mind that the MTU number must be a multiple of 8 (8, 16, 24, 32, etc.).
bad checksum : Badsum command induces the deployment of an invalid TCP/UDP/SCTP checksum for packets transmitted to our target. As practically every host IP stack would correctly drop the packets, each response accepted is possibly originating from a firewall or Intrusion Detection System that wasnβt concerned with confirming the checksum. Additionally, we try to use some scripts from the Nmap NSE like "firewall-bypass," but I should warn you that results from the usage of this script can be a false positive with a high percentage.
helper bypass : This script detects a vulnerability in Netfilter and other firewalls that use helpers to dynamically open ports for protocols such as FTP and sip (in our case, we also combine it with stealth scan). The script works by spoofing a packet from the target server asking for opening a related connection to a target port, which will be fulfilled by the firewall through the adequate protocol helper port. The attacking machine should be on the same network segment as the firewall for this to work. The script supports FTP helper on both IPv4 and IPv6. Real path filter is used to prevent such attacks.
Avoiding signatures: add garbage data to the packets so the IPS/IDS signature is avoided.
firewalk: Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.To determine a rule on a given gateway, the scanner sends a probe to a metric located behind the gateway, with a TTL one higher than the gateway. If the probe is forwarded by the gateway, then we can expect to receive an ICMP_TIME_EXCEEDED reply from the gateway next hop router, or eventually the metric itself if it is directly connected to the gateway. Otherwise, the probe will timeout.
It starts with a TTL equals to the distance to the target. If the probe timeout, then it is resent with a TTL decreased by one. If we get an ICMP_TIME_EXCEEDED, then the scan is over for this probe.
Every "no-reply" filtered TCP and UDP ports are probed. As for UDP scans, this process can be quite slow if lots of ports are blocked by a gateway close to the scanner.
Scan parameters can be controlled using the firewalk.* optional arguments.
From an original idea of M. Schiffman and D. Goldsmith, authors of the firewalk tool.
Custom Scan Types : The --scanflags option allows you to design your own scan by specifying arbitrary TCP flags. Let your creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules! The --scanflags argument can be a numerical flag value such as 9 (PSH and FIN), but using symbolic names is easier. Just mash together any combination of URG, ACK, PSH, RST, SYN, and FIN. For example, --scanflags URGACKPSHRSTSYNFIN sets everything, though it's not very useful for scanning. The order these are specified in is irrelevant.
In addition to specifying the desired flags, you can specify a TCP scan type (such as -sA or -sF). That base type tells Nmap how to interpret responses. For example, a SYN scan considers no-response indicative of a filtered port, while a FIN scan treats the same as open|filtered. Nmap will behave the same way it does for the base scan type, except that it will use the TCP flags you specify instead. If you don't specify a base type, SYN scan is used.
Description
Option [flag]
Timing Templates
-T[0-5]
Set the Packet Time To Live [TTL]
βttl
Minimum # of Parallel Operations
βmin-parallelism
Maximum # of Parallel Operations
βmax-parallelism
Minimum Host Group Size
βmin-hostgroup
Maximum Host Group Size
βmax-hostgroup
Maximum RTT Timeout
βmax-rtt-timeout
Initial RTT Timeout
βinitial-rtt-timeout
Maximum Retries
βmax-retries
Host Timeout
βhost-timeout
Minimum Scan Delay
βscan-delay
Maximum Scan Delay
βmax-scan-delay
Minimum Packet Rate
βmin-rate
Maximum Packet Rate
βmax-rate
Defeat Reset Rate Limits
βdefeat-rst-ratelimit
By default, NMAP executes time units in seconds. However, by applying a qualifier to the timing flag, we can instruct NMAP to accept timing units in milliseconds, minutes, or hours β as seen in Table 1.2 below.
Flag
Definition
Time Unit
Flag
(none)
Milliseconds (1/1000 of a second)
60000 milliseconds
60000ms
s
Seconds
60 seconds
60s
m
Minutes
1 minutes
1m
h
Hours
1 hour
1h
For example, we can instruct NMAP to scan a target for a 1 minute before aborting using the βhost-timeout option as shown below:
The above command can be also executed as:
Or:
Flag: -T
Syntax: nmap -T[Template No.] [Target]
Description: Specify an NMAP timing template for a scan.
Think of NMAP timing templates as shortcuts for different timing options.
NMAP provides six templates [0 to 5] we can use to slow down scanning [evade firewalls] or speed up [get faster results] β depending on the scanning scenario, as seen in Table 1.3 below.
NMAP Timing Template
Name
Description
-T0
Paranoid scan
A very slow scan
-T1
Sneaky scan
Excellent for avoiding firewalls
-T2
Polite scan
Unlikely to interfere with the target system
-T3
Normal scan
The default NMAP timing template
-T4
Aggressive scan
Provides faster results on LANs
-T5
Insane scan
A fast aggressive scan
Fire walking is the method of determining the movement of a data packet from an untrusted external host to a protected internal host through a firewall. The idea behind fire walking is to determine which ports are open and whether packets with control information can pass through a packet filtering device.
Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. It works by sending out TCP or UDP packets with a TTL one hop greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. Otherwise, it will likely drop the packets and there will be no response.
To get the correct IP TTL that will result in packets expiring one hop beyond the gateway, Firewalk needs to ramp up hop counts. It does this in the same manner that traceroute works. Once the scan is bound (that is, Firewalk knows the gateway hop count), it begins the scan. The ultimate destination host does not have to be reached, it only needs to be somewhere downstream, on the other side of the gateway, from the scanning host.
Firewalk helps in assessing the security configuration of packet filtering devices, such as those used in firewall systems. It is relevant for network security assessments, like network penetration tests (pentests).
Scan ports 8079-8081 (-S8079-8081) through the eth0 interface (-i eth0), do not resolve hostnames (-n), use TCP (-pTCP) via the gateway (192.168.1.1) against the target IP (192.168.0.1):
Port-knocking the a obfuscation-as-security technique. I basically means that after knocking on ports in a specific sequence a certain port will open automatically. It seems to be more popular in Capture-the-flag contests than real life networks. But I have included it anyways, since CTF:s are great.
This is a way to hide certain ports, so you don't get unwanted intrusion-intents.
When you "knock" on a port you are really just sending TCP-packets with SYN-flag to that port. The closed port will then respond with a ACK/RST. Which basically means that the host has received the TCP-packet, and it ACKnolwdge it, but responds with a Reset (RST) flag. RST just means that the port is closed.
rescan the system to see if any ports are now open, try to connect to new ports:
NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victimβs NAT/firewall, just by the victim visiting a website
we can also use the traceroute command to perform traceroute with different methods, protocols and ports. check for traceroute techniques.
for testing other ICMP types check out the protocol section.
