Skip to main content
Version: Next

Evading firewalls

Firewall evasion techniques

Using fragmented packets

  • The idea is to split up the TCP header over several packets to make it harder
  • E.g. -f command in nmap: nmap -f 192.168.1.12
    • utilizes 16 bytes per fragment which diminishes the number of fragments
    • to specify own offset size: nmap --mtu 16 192.168.1.12
  • ❗ Most modern firewall and IDS detect fragmented packets.

Firewalking

  • 📝 Discovers firewall rules using traceroute-like technique with IP TTL expiration
  • Works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway
    • Tests if gateway allows the traffic to find firewalls
  • Requires knowledge of:
    1. Known gateway (can be firewall) before the host (serves as waypoint)
    2. IP address of a host located behind the firewall.
  • ❗ If a host on the other side of the firewall cannot be targeted then firewalking will not be successful
  • Also known as port knocking
    • Externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports
  • Tools
    • firewall script in nmap: e.g. nmap --traceroute --script=firewalk --script-args=firewalk.max-probed-ports=-1 192.168.3.11
    • Firewall tool e.g. firewalk 192.168.1.2 192.168.3.11
      • Responses can be interpreted as:
        • ICMP_TIME_EXCEEDED: Gateway forwards packets to next hop where they're expired.
        • No response: Port is probably blocked
  • Countermeasures
    • Use Network Address Translation to hide the addresses on your internal networks
    • Block all outgoing TTL Exceeded in Transit packets in the firewall

HTTP and ICMP tunneling

  • Can be used to bypass firewalls rules through obfuscation of the actual traffic
  • Works by injecting arbitrary data into packets sent to a remote computer
  • Hard to detect without proper deep packet inspection or log review
  • HTTP tunneling (port 80) is almost never filtered by a firewall.

DNS tunneling

  • Also known as TCP over DNS
  • Provides a TCP tunnel through the standard DNS protocol
  • Used to evade firewalls as most firewalls allow DNS traffic to freely pass into and out of the network.
  • 🤗💡 May browsing internet in coffee shops for free
  • Tools include • iodineThunderDNS
  • Used to identify firewalls.
  • Tools