Nmap-Firewall Evasion Techniques
- As a penetration tester you will come across with systems that are behind firewalls.
- So you will need to avoid the firewall rules that are in place and to discover information about a host.
- This step in a penetration testing called Firewall Evasion Rules.
- Nmap is offering a lot of options about Firewall evasion.
Fragmentation scanning
- Instead of just sending the probe packet, you break it into a couple of small IP fragments.
- You are splitting up the TCP header over several packets to make it harder for packet filters and so forth to detect what you are doing.
- The -f switch instructs the specified SYN or FIN scan to use tiny fragmented packets.
- This technique was very effective especially in the old days however you can still use it if you found a firewall that is not properly configured.
Fragmentation scanning - Nmap –f ip_target
Specify Specific MTU
- Nmap is giving the option to the user to set a specific MTU (Maximum Transmission Unit) to the packet.
- This is similar to the packet fragmentation technique.
- During the scan, nmap will create packets with size based on the number that we will give.
- In this example we gave the number 24, so the nmap will create 24-byte packets causing a confusion to the
firewall.
- Have in mind that the MTU number must be a multiple of 8 (8,16,24,32 etc). Specify Specific MTU
- Command: nmap –mtu number target_ip
Use Decoy Addresses
- In this type of scan you can instruct Nmap to spoof packets from other hosts.
- In the firewall logs it will be not only our IP address, but also the IP addresses of the decoys.
- So it will be much harder to determine from which system the scan started.
- There are two options that you can use in this type of scan:
- – Generates 10 random number of decoys:
nmap -D RND:10 [target_ip]
- – Manually specify the IP addresses of the decoys:
nmap -D decoy1,decoy2,decoy3, …
Firewalk
- Firewalk gathers information about a remote network protected by a firewall
- Purpose :
– Mapping open ports on a firewall
– Mapping a network behind a firewall
If the firewall’s policy is to drop ICMP ECHO Request/Reply this technique is very effective.
Firewalking
How Does Firewalking Work?
It uses a traceroute-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device.
Traceroute is dependent on IP layer (TTL field), any transport protocol can be used the same way (TCP, UDP, and ICMP).
What Firewalking Needs?
– The IP address of the last known gateway before the firewall takes place.
• Serves as WAYPOINT
– The IP address of a host located behind the firewall.
• Used as a destination to direct packet flow Firewalking
• Getting the Waypoint
– If we try to traceroute the machine behind a firewall and get blocked by an ACL filter that prohibits the probe, the last gateway which responded (the firewall itself can be determined)
– Firewall becomes the waypoint.
• Getting the Destination
– Traceroute the same machine with a different traceroute-probe using a different transport protocol.
– If we get a response
• That particular traffic is allowed by the firewall.
• We know a host behind the firewall.
– If we are continuously blocked, then this kind of traffic is blocked.
– Sending packets to every host behind the packetfiltering device can generate an accurate map of a
network’s topology.
Nmap NSE Firewalk (1)
• Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.
• To determine a rule on a given gateway, the scanner sends a probe to a metric located behind the gateway, with a TTL one higher than the gateway. If the probe is forwarded by the gateway, then we can expect to receive an ICMP_TIME_EXCEEDED reply from the gateway next hop router, or eventually the metric itself if it is directly connected to the gateway. Otherwise, the probe will timeout.
Idle Zombie Scan
• This technique allows you to use another host on the network that is idle in order to perform a port scan to another host.
• The main advantage of this method is that it is very stealthy, because the firewall log files will record the IP address of the Zombie and not our IP.
• However, in order to have proper results, we must found hosts that are idle on the network.
• Metasploit framework has a scanner that can help us to discover hosts that are idle on the network and it can be used while implementing this type of scan.
• Nmap’s IPID Idle scanning allows us to be a little stealthy scanning a target while spoofing the IP address of another host on the network.
• In order for this type of scan to work, we will need to locate a host that is idle on the network and uses IPID sequences of either Incremental or Broken Little-Endian Incremental.
• Metasploit contains the module ‘scanner/ip/ipidseq’ to scan and look for a host that fits the requirements.
• Based on the scan result we get from metasploit, we will use the hosts that have IPID Sequence class = Incremental as our Zombie hosts.
• Command:
Nmap –sI zombie_ip target_ip
or
Nmap –Pn –sI ip_zombie –v ip_target
Source Port Number Specification
• A common error that many administrators are doing when configuring firewalls is to set up a rule to allow all incoming traffic that comes from a specific port number.
• The –source-port option of Nmap can be used to exploit this misconfiguration.
• Common ports that you can use for this type of scan are: 20,53 and 67.
Source Port Number Specification
• Command: nmap –source-port 53 ip_target
Append Random Data
• Many firewalls are inspecting packets by looking at their size in order to identify a potential port scan.
• This is because many scanners are sending packets that have specific size.
• In order to avoid that kind of detection you can use the command –data-length to add additional data and to send packets with different size than the default.
• In the next slide we have changed the packet size by adding 25 more bytes.
• The size of a typical packet that nmap sends to the target is 58 bytes.
Append Random Data
• Command: nmap –data-length length_number ip_target
Scan with Random Order
• In this technique you can scan a number of hosts in random order and not sequential.
• The command that you use to instruct Nmap to scan for hosts in random order is –randomizehosts.
• This technique combined with slow timing (-T) options in nmap command can be very effective when you don’t want to alert firewalls.
• Command: nmap –randomize-hosts ip_target
MAC Address Spoofing
• Another method for bypassing firewall restrictions while doing a port scan is by spoofing the MAC address of your host.
• This technique can be very effective especially if there is a MAC filtering rule to allow only traffic from certain MAC addresses, so you will need to discover which MAC address you need to set in
order to obtain results.
• Specifically, the –spoof-mac option gives you the ability to choose a MAC address from a specific vendor, to choose a random MAC address or to set a specific MAC address of your choice.
• Another advantage of MAC address spoofing is that you make your scan more stealthier because your real MAC address will not appear on the firewall log files.
MAC Address Spoofing
• Command:
– Specify MAC address from a Vendor: nmap — spoof-mac Dell/Apple/3Com ip_target
– Generate a random MAC address: nmap –spoofmac 0 ip_target
– Specify your own MAC address: nmap –spoof-mac 00:01:02:25:56:AE ip_target
Send Bad Checksums
• Checksums are used by the TCP/IP protocol to ensure the data integrity.
• However sending packets with incorrect checksums can help you discover information from systems that is not properly configured or when you are trying to avoid a firewall.
• You can use the command nmap –badsum IP_target in order to send packets with bad checksums to your targets.
• In the next image we didn’t get any results, this means that the system is correctly configured.
Send Bad Checksums
• Command: nmap –badsum ip_target
Comments...
No comments found. Leave your reply here.