Version: 1.0.2

Evading firewalls

Firewall evasion techniques

The idea is to split up the TCP header over several packets to make it harder
E.g. -f command in nmap: nmap -f 192.168.1.12
- utilizes 16 bytes per fragment which diminishes the number of fragments
- to specify own offset size: nmap --mtu 16 192.168.1.12
❗ Most modern firewall and IDS detect fragmented packets.

📝 Discovers firewall rules using traceroute-like technique with IP TTL expiration
Works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway
- Tests if gateway allows the traffic to find firewalls
Requires knowledge of:
1. Known gateway (can be firewall) before the host (serves as waypoint)
2. IP address of a host located behind the firewall.
❗ If a host on the other side of the firewall cannot be targeted then firewalking will not be successful
Also known as port knocking
- Externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports
Tools
- firewall script in nmap: e.g. nmap --traceroute --script=firewalk --script-args=firewalk.max-probed-ports=-1 192.168.3.11
- Firewall tool e.g. firewalk 192.168.1.2 192.168.3.11
  - Responses can be interpreted as:
    - ICMP_TIME_EXCEEDED: Gateway forwards packets to next hop where they're expired.
    - No response: Port is probably blocked
Countermeasures
- Use Network Address Translation to hide the addresses on your internal networks
- Block all outgoing TTL Exceeded in Transit packets in the firewall

Also known as TCP over DNS
Provides a TCP tunnel through the standard DNS protocol
Used to evade firewalls as most firewalls allow DNS traffic to freely pass into and out of the network.
🤗💡 May browsing internet in coffee shops for free
Tools include • iodine • ThunderDNS

Used to identify firewalls.
Tools
- Using Nmap banner script nmap -sV --script=banner <target-ip>
- Using netcat: nc -v -n 192.168.51.129 21