Skip to main content

detecting_and_evading_a_firewall

Detecting Firewalls

Detecting a firewall is not easy, the most common tools to detect a firewall are:

  • --traceroute
  • -O
  • --badsum #this isn't always effective

The badsum option is called as:

 nmap --badsum 291.122.121.11
 # this option causes nmap to create
 # a bad checksum in the TCP header, all hosts should drop these
 # packets, so if we receive a response, this means that the
 # response comes from a firewall who didn't bother to verify the checksum

Evading Firewalls

There are two other ways to evade a firewall:

  • Fragmentation fields of the IP header
  • Idle Scan (using Zombie Hosts)

Fragmentation fields of the IP Header

Fragmentation is useful since fragments are passed to the target machine uninspected from the firewall. Fragmentation is more effective when we split TCP header in different packets, in nmap we can request a fragmentation with the "-f" option which will request a fragmentation of 8 byte chunks, while it is even possible to use "-f-f" to achieve 16 byte chunks, or still we can specify the chunk size by using "--mtu" and specifying the chunks, let's see some examples:

 nmap -f 223.23.23.12
 # this is the preferred and most used
 # option, when doing such things, the packet is split into 3 fragments
 nmap --mtu 24 223.23.23.12

Since the TCP Header is 20 bytes, the packet sent is split into 3 fragments, when using the "-f" flag.

When using fragmentation we must pay attention to two potential issues:

  • Source Defragmenting: on some systems, is not posible to send highly fragmented packets, this is the case for for example for IPTables, in this case we must ensure that nmap uses raw ethernet frames
  • Fragment Queuing: this issue is related to the fact that some firewall defrags (aka reassembles) the packets before sending them to destination, in this case fragmentation doesn't work and we must use something else

Idle Scan

This scan is based upon the fact that some systems use a monotonicly increasing "id" field in the IP header when sending packets out, these systems are called "idle systems" and if we can find an idle system (i.e. a system who is using the id field or increments it when sending packets out), we can perform a scan that completely hides our identity, and this is very sneaky. Here is how it all works, let's say we found an idle system which is a printer; and we want to inspect another target machine port; what happens is:

  • in the case of Port Opened:
  • We send a SYN+ACK packet to the idle system (the printer)
  • he replies back with RST,ID=55 (55 is used only as example
  • we then send a spoofed SYN packet to the target machine (so we mask our IP as we were the printer)
  • now if the port is open, the system will send to the printer a SYN+ACK packet, and the printer will reply to the target system with a RST,ID=56
  • now we send again a SYN+ACK packet to the printer and if the printer replies with RST,ID=57 (i.e. ID=initialID+2) then this means that the port on the target machine is open, since it replied to our fake (spoofed) request
  • in the case of Port Closed:
  • We send a SYN+ACK packet to the idle system (the printer)
  • he replies back with RST,ID=55 (55 is used only as example
  • we then send a spoofed SYN packet to the target machine (so we mask our IP as we were the printer)
  • now since the port is closed the target system won't send any packet to the printer
  • now we again send a packet to the printer, and if the printer sends a packet with RST, ID=initialID+1, this means that the inspected port is closed

In order to find a zombie machine, we can use nmap or hping3, with nmap if we want to understand if a machine is a zombie we can do:

nmap -O -v <target>

If the machine is a zombie, we should see the message: "IP ID Sequence Generation: Incremental".

Idle scans are sneaky and perform the check with the help of a zombie host, we can perform this kind of scans with the flag "-sI", and these kind of scans are of the form:

 nmap -sl zombieHostIPAddress targetHostIPAddress

Anyway this technique becomes effective only if we can find the above defined "idle systems", and we'll check this in the nmap scripting modules (to be precise this can be achieved with --script ipidseq); now let's see an example of idle scan from nmap:

 nmap -sI 192.168.5.4 192.168.23.88
 # in this case we use as zombie host (aka idle system)
 192.168.5.4 and our target host is 192.168.23.88

NAT

This is another thing that can frustrate our scanning, what happens here is that, if we are inside a NAT and perform a scan, we have no problems, while in other case if we want to perform scan on a computer inside a NAT, we are blocked by the firewall, so the scan of an internal host from the outside of a firewall won't work.

IDS

A network IDS (Intrusion Detection System) is a device that monitors network traffic from malicious activity and produces reports about policy violation which are published to a management station. An IDS works in promiscous mode and performs analysis of passing traffic for the entire subnet, once an attack is identified or abnormal behaviour is sensed, an alert can be sent to the network administrator. An IDS can be configured to sense for many kind of attacks:

  • signatures
  • anomalies
  • packet rates

Avoiding IDS Detection

There are diverse techniques to avoid IDS detection,

  1. Send traffic at a very low rate
  2. Make traffic appear as if it was legit
  3. Hiding ourself with IP spoofing
  4. Hiding ourself with MAC spoofing
  5. Flooding IDS with misleading data

The first solution can be achieved by this option: -T paranoid (or -T 0), in this case, we are absolutely not flooding the network, so attacks can be hard to detect

The seconnd solution is about to make my traffic seem as legitimate as possible, this can be achieved with the following options:

  • --source-port portnum (or) -g portnum ;this specifies the source port from which the traffic is coming
  • --data-length num ;this appends random data in a packet

Let's see an example in action:

 nmap -PA -g 443 -p 6756 --data-length 812 218.45.187.23
 # in this case we are making the IDS think that we are sending our
 # packets from the https protocol (port 443), so the random data
 # will be interpreted as encrypted

Another technique is hiding ourself, this can be done through a "source spoofing", which can be done with "-S source-address", in this case we make the IDS think that the sent packet is coming from the mentioned ip address. This creates some interesting traffic on the target system, but we won't get any additional info, since the reply is sent to the mentioned ip address and not to us, this can be useful only in the case of an idle scan. This option can even have a "legitimate" use, indeed we can have multiple network interfaces and different network addresses, so with "-S sourceAddress" and "-r interface" we can set on which interface or with which ip address we are sending our packets.

Another similar technique is the one of MAC spoofing, this can be done with the "--spoof-mac" option, here we can specify:

  • Full MAC address
  • Prefix
  • Vendor Name

Let's see some examples of the above mentioned options:

 nmap -e eth0 218.45.187.23
 # we set as interface eth0 to scan the mentioned ip address
 nmap -S 192.168.1.1 192.168.1.23
 # we set as source ip address the first mentioned IP and the
 scan is made on the second IP address
 nmap --spoof-mac Cisco 192.168.1.23
 # in this case we make the target think, we have a Cisco network
 # card, by setting a specific format for the MAC address which the target will
 # recognize as Cisco, and plus additional data

Another technique to hide our scans is by flooding the IDS with misleading data. The "-D" option in nmap allows us to specify other addresses which will work as decoys. The target system will see that he's been scanned from multiple hosts, and won't know for sure which one has initiated the probe, or which one is innocent. An example is:

 nmap -D 56.23.52.98,12.34.18.9 218.45.187.23
 # in this case the first two addresses will be the decoys,
 # and we are going to scan the third address

Another option is to use random decoys, we can do that like this:

 nmap -D RND:10 218.45.187.23
 # here we use 10 random decoys

Notice that the decoys are comma separated, and the more decoys we put, the more we hide, but the scan will take longer times, since nmap has to generate several packets to send to the target machine.