Learn about and experiment with various firewall evasion techniques, such as port hopping and port tunnelling.
Room Link Firewalls
A firewall is software or hardware that monitors the network traffic and compares it against a set of rules before passing or blocking it. One simple analogy is a guard or gatekeeper at the entrance of an event. This gatekeeper can check the ID of individuals against a set of rules before letting them enter (or leave).
Before we go into more details about firewalls, it is helpful to remember the contents of an IP packet and TCP segment. The following figure shows the fields we expect to find in an IP header. If the figure below looks complicated, you don’t need to worry as we are only interested in a few fields. Different types of firewalls are capable of inspecting various packet fields; however, the most basic firewall should be able to inspect at least the following fields:
- Protocol
- Source Address
- Destination Address
Question: If you want to block telnet, which TCP port number would you deny?
Answer: 23
Question: You want to allow HTTPS, which TCP port number do you need to permit?
Answer: 443
Question:What is an alternate TCP port number used for HTTP? It is described as “HTTP Alternate.”
Answer: 8080
Question: You need to allow SNMP over SSH, snmpssh. Which port should be permitted?
Answer: 5161
Task 2 Types of Firewalls
Question: What is the most basic type of firewall?
Answer: Packet-Filtering Firewall
Question: What is the most advanced type of firewall that you can have on company premises?
Answer: Next-Generation Firewall
Task 3 Evasion via Controlling the Source MAC/IP/Port
We can dive into all the details embedded into each packet; however, for this exercise, we would like to note the following:
- Our IP address
10.14.17.226
has generated and sent around 200 packets. The-F
option limits the scan to the top 100 common ports; moreover, each port is sent a second SYN packet if it does not reply to the first one. - The source port number is chosen at random. In the screenshot, you can see it is 37710.
- The total length of the IP packet is 44 bytes. There are 20 bytes for the IP header, which leaves 24 bytes for the TCP header. No data is sent via TCP.
- The Time to Live (TTL) is 42.
- No errors are introduced in the checksum.
In the following sections and tasks, we will see how Nmap provides various options to evade the firewall and other network security solutions.
Question: What is the size of the IP packet when using a default Nmap stealth (SYN) scan?
Answer: 44
Question: How many bytes does the TCP segment hold in its data field when using a default Nmap stealth (SYN) scan?
Answer: 0
Question: Approximately, how many packets do you expect Nmap to send when running the command nmap -sS -F MACHINE_IP
? Approximate to the nearest 100, such as 100, 200, 300, etc.
Answer: 200
Decoy(s)
Question: Approximately, how many packets do you expect Nmap to send when running the command nmap -sS -Pn -D RND,10.10.55.33,ME,RND -F MACHINE_IP
? Approximate to the nearest 100, such as 100, 200, 300, etc.
Answer: 800
Proxy
Question: What do you expect the target to see as the source of the scan when you run the command nmap -sS -Pn --proxies 10.10.13.37 MACHINE_IP
Answer: 10.10.13.37
Spoofed MAC Address
Question: What company has registered the following Organizationally Unique Identifier (OUI), i.e., the first 24 bits of a MAC address, 00:02:DC
?
Answer: Fujitsu General ltd
Spoofed IP Address
Question: To mislead the opponent, you decided to make your port scans appear as if coming from a local access point that has the IP address 10.10.0.254
. What option needs to be added to your Nmap command to spoof your address accordingly?
Answer: -S 10.10.0.254
Fixed Source Port Number
Question: You decide to use Nmap to scan for open UDP ports. You notice that using nmap -sU -F MACHINE_IP
to discover the open common UDP ports won’t give you any meaningful results. What do you need to add to your Nmap command to set the source port number to 53?
Answer: -g 53
Task 4 Evasion via Forcing Fragmentation, MTU, and Data Length
Question: What is the size of the IP packet when running Nmap with the -f
option?
Answer: 28
Question: What is the maximum size of the IP packet when running Nmap with the -ff
option?
Answer: 36
Question: What is the maximum size of the IP packet when running Nmap with --mtu 36
option?
Answer: 56
Question: What is the maximum size of the IP packet when running Nmap with --data-length 128
option?
Answer: 148
Task 5 Evasion via Modifying Header Fields
Question: Start the AttackBox and the machine attached to this task. After you give them time to load fully, scan the attached MS Windows machine using --ttl 1
option. Check the number of ports that appear to be open. The answer will vary depending on whether you are using the AttackBox or connecting over VPN. We suggest you try both.
Answer: No Answer
Question: Scan the attached MS Windows machine using --ttl 2
option. How many ports appear to be open?
Answer: 3
Question: Scan the attached MS Windows machine using the --badsum
option. How many ports appear to be open?
Answer: 0
Task 6 Evasion Using Port Hopping
Question: Using this simple technique, discover which port number of the following destination TCP port numbers are reachable from the protected system.
- 21
- 23
- 25
- 26
- 27
Answer: 21
Task 7 Evasion Using Port Tunneling
Question: We have a web server listening on the HTTP port, 80. The firewall is blocking traffic to port 80 from the untrusted network; however, we have discovered that traffic to TCP port, 8008 is not blocked. We’re continuing to use the web form from Task 6 to set up the ncat
listener that forwards the packets received to the forwarded port. Using port tunneling, browse to the web server and retrieve the flag.
the traffic is blocked over port 80 so we need to use 8008 in web form, so for openining web form go on machine ip with port 8080 Machine_IP:8080
then inject the following code with little modification in the command box [ ncat -lvnp 443 -c “ncat TARGET_SERVER 25” ]
ncat -lvnp 8008 -c “ncat 10.10.93.152 80”
after executing the command then go with the 8001 port in the browser to get the flag
Answer: THM{***********}
Task 8 Evasion Using Non-Standard Ports
Question: We’re continuing to use the web-form from Task 6 to set up the ncat
listener. Knowing that the firewall does not block packets to destination port 8081, use ncat
to listen for incoming connections and execute Bash shell. Use the AttackBox to connect to the listening shell. What is the user name associated with which you are logged in?
now first setup the listener from a web-based form ncat -lvnp PORT_NUMBER -e /bin/bash. you access the page from the task 7 MachineIP:8080
after injecting the custom code, use ncat to access the connection, for this use ncat in the attack box and type whoami
Task 9 Next-Generation Firewalls
Question: What is the number of the highest OSI layer that an NGFW can process?
Answer: 7
If you have any queries regarding the above content, or you want to update anything in the content, then contact us with your queries. You can directly post your question in the group.
Connect with us on these platforms