Firewall Basic Bypassing Techniques With Nmap and Hping3
Security of data always have in top of priorities for systems administrator’s. Systems admin’s always tries to keep all the ports close for public use which is not required. There are many firewall solutions available on the market starting from simple iptables and ending with complex cloud solutions. In our current case we will take a look at several interesting tools like nmap and hping and methods on how to find out if port is actually used by something and another case - when our target system is hidden behind cloud firewall solution like CloudFlare.
First tool we will try is nmap, it provides numerous features to assist in mapping and grasping intricate networks. One of the ideal techniques of understanding network security from the sysadmin or penetration tester’s perspective is the attempt to surmount it. Firewalls can attempt to render the reconnaissance phase and Nmap’s scanning capabilities less efficient for the adversary.
The hacker can evade the firewalls and intrusion detection systems implemented by their adversaries by using several firewall evasion techniques with Nmap. This tool supports multiple scan types like Connect Scan(by default), ACK Scan,TCP scan, UDP scan etc and have good amount of available scripts which we can use during scans execution and even vulnerability assessment process so hacker can begin to build a picture of your network topology and learn which machines are connected to it, which versions of operating systems they are running, which ports they have open, and what vulnerabilities might exist.
Firewalls Bypassing Scan Examples
The -f command induces our scan to deploy diminutive fragmented IP packets. Specifically, our command utilizes 16 bytes per fragment which diminishes the amount of fragments. Fragmented packets is one of them and consist in sending several tiny packets instead of one normal size packet.
You can use fragmented packets with nmap using the "-f" option, however nowadays most firewall and IDS detect fragmented packets.
The above nmap -mtu command allows us to specify our own offset size. Remember that the offset size has to be a multiple of 16.
- Nmap is giving the option to the user to set a specific MTU (Maximum Transmission Unit) to the packet.
- This is similar to the packet fragmentation technique.
- During the scan, nmap will create packets with sizebased on the number that we will give.
- In this example we gave the number 24, so the nmapwill create 24-byte packets causing a confusion to thefirewall.
- Have in mind that the MTU number must be a multipleof 8 (8,16,24,32 etc).
Badsum command induces the deployment of an invalid TCP/UDP/SCTP checksum for packets transmitted to our target. As practically every host IP stack would correctly drop the packets, each response accepted is possibly originating from a firewall or Intrusion Detection System that wasn’t concerned with confirming the checksum. Additionally we try to use some scripts from nmap NSE like "firewall-bypass", but I should warn that results from usage of this script can be false positive with high percentage.
This script detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip (in our case we also combining it with stealth scan). The script works by spoofing a packet from the target server asking for opening a related connection to a target port which will be fulfilled by the firewall through the adequate protocol helper port. The attacking machine should be on the same network segment as the firewall for this to work. The script supports ftp helper on both IPv4 and IPv6. Real path filter is used to prevent such attacks.
Vulnerability Scan Example
- -sV will probe open ports to determine service/version info
- -T4 this setting required to set up scan speed (T5 is maximum, most aggressive scan)
- -F means that we going to scan 100 most popular ports (this option also required for quick scans)
- --script vuln tells nmap to load specific NSE script which will help us determine vulnerabilities with results based on port scanning and banner analysis
Hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features. It is one type of a tester for network security and one of the de facto tools for security auditing and testing of firewalls and networks. It was used to exploit the idle scan scanning technique which now implemented in the Nmap scanner as well.
While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t care about security to test networks and hosts. A subset of the stuff you can do using hping:
- Firewall testing
- Advanced port scanning
- Network testing, using different protocols, TOS, fragmentation
- Manual path MTU discovery
- Remote OS fingerprinting
- Advanced traceroute, under all the supported protocols
- TCP/IP stacks auditing
- Remote uptime guessing
Firewall Testing Scan Examples
First off, we are going to send a simple PING (ICMP Echo Request) packet to our target.
The –1 in this command tells hping3 to use ICMP, which by default sends an Echo Reply.
The -c 1 states that we only want to send 1 packet, and the 192.168.1.12 is our target. From the command output, we see that 1 packet was sent and received.
We going to test a well-known port 80 (HTTP). Since SYN is the first step in the three-way handshake of a TCP connection (SYN, SYN-ACK, ACK), if the port is open, we would receive the proper SYN-ACK response due to the target attempting to complete the connection. This is a popular technique used in port-scanning known as a “half-open connection”.
In the result, we should see that our target has responded, and the output shows “flags=SA” confirming that we have received a SYN-ACK packet. Since our target responded with a SYN-ACK (marked by [S.] and ‘ack‘), we know that our target’s port 80 is open and accepting connections.
We saw in the previous example that when we send a SYN packet to an open port, we receive a SYN-ACK. So let’s see what kind of response we get when we send an ACK packet (the final part of the three-way handshake).
In the server respone, we can see that our target responded, but this time with the RST flag set. We have successfully tested a host, setup rules to correct issues we’ve found, and retested for proper functionality.
How to Find a Website Behind CloudFlare
Today very popular solutions like cloud firewall are often used by many website owners, companies and others for one main reason - hide your IP to secure from direct scans and possible DoS/DDoS attacks. Some of such solutions additionaly provide their users with CDN service, additional caching etc
We currently interesting in bypassing those firewall and fiding out real IP address of our target website. How can we do this ?
There are several methods available on how detect real IP and so we going to discuss some of them:
1. Scan our target web application for URLs and try to extract other services beloning to this web application (also can discover subdomains) which possibly may host on one server with same IP address.
2. Execute subdomain brute force to find out other sites & services which by mistake were not added/hidden behind firewall and this way we can get real IP address.
3. Try to search domain IP change history (here can such services like DNS History or VirusTotal can be very helpful). By discovering old IP addresses we should go and check them manually or even with reverse lookup if they are still associated with our target web application.
4. We can try to use such service like crimeflare which also may help us reveal real IP address of the target. This service uses nearly the same techniques but has some additional as well.
In conclusion I can say that it is not hard today execute an bypass some kind of firewalls with specific tools, but if speak about for example improved WAF services - such kind of tools there may not help at all and you'll need to use manual approach with several types of url/payload encoding, bypassing tricks and techniques.