Firewall Basic Bypassing Techniques With Nmap and Hping3

Information Security, Network, Tips 'N' Tricks

Credit: Uladzislau Murashka

Data security is a top priority for systems administrators. Systems admins always try to keep ports closed for public use, which is not required. There are many firewall solutions available on the market, starting from simple iptables and ending with complex cloud solutions. In our current case, we will take a look at several interesting tools like Nmap and hping and methods on how to find out if a port is actually used by something.

Nmap

The first tool we will try is Nmap. It provides numerous features to assist in mapping and grasping intricate networks. One of the ideal techniques of understanding network security from the sysadmin or penetration tester’s perspective is the attempt to surmount it. Firewalls can attempt to render the reconnaissance phase and Nmap’s scanning capabilities less efficient for the adversary.

The hacker can evade the firewalls and intrusion detection systems implemented by their adversaries by using several firewall evasion techniques with Nmap. This tool supports multiple scan types like Connect Scan(by default), ACK Scan, TCP scan, UDP scan, etc. and have a good amount of available scripts, which we can use during scans execution and even a vulnerability assessment process, so a hacker can begin to build a picture of your network topology and learn which machines are connected to it, which versions of operating systems are running, which ports are open, and what vulnerabilities might exist.

Firewalls Bypassing Scan Examples

 
nmap -f 192.168.1.12
 

The -f command induces our scan to deploy diminutive fragmented IP packets. Specifically, our command utilizes 16 bytes per fragment which diminishes the number of fragments. Fragmented packets is one of them and consist in sending several tiny packets instead of one normal size packet.

You can use fragmented packets with Nmap using the “-f” option, however, nowadays most firewall and IDS detect fragmented packets.

 
nmap --mtu 16 192.168.1.12
 

The above nmap --mtu command allows us to specify our own offset size. Remember that the offset size has to be a multiple of 16.

  • Nmap is giving the option to the user to set a specific MTU (Maximum Transmission Unit) to the packet.
  • This is similar to the packet fragmentation technique.
  • During the scan, Nmap will create packets with a size based on the number that we will give.
  • In this example, we gave the number 24, so the Nmap will create 24-byte packets, causing confusion to the firewall.
  • Keep in mind that the MTU number must be a multiple of 8 (8, 16, 24, 32, etc.).
 
nmap --badsum 192.168.1.12
 

Badsum command induces the deployment of an invalid TCP/UDP/SCTP checksum for packets transmitted to our target. As practically every host IP stack would correctly drop the packets, each response accepted is possibly originating from a firewall or Intrusion Detection System that wasn’t concerned with confirming the checksum. Additionally, we try to use some scripts from the Nmap NSE like “firewall-bypass,” but I should warn you that results from the usage of this script can be a false positive with a high percentage.

 
nmap -sS -T5 192.168.1.12 --script firewall-bypass
 

This script detects a vulnerability in Netfilter and other firewalls that use helpers to dynamically open ports for protocols such as FTP and sip (in our case, we also combine it with stealth scan). The script works by spoofing a packet from the target server asking for opening a related connection to a target port, which will be fulfilled by the firewall through the adequate protocol helper port. The attacking machine should be on the same network segment as the firewall for this to work. The script supports FTP helper on both IPv4 and IPv6. Real path filter is used to prevent such attacks.

Vulnerability Scan Example

 
nmap -sV -T4 -F 192.168.1.12 --script vuln
 

This is the simple usage of a quick verbose vulnerability scan with the help of Nmap and NSE. Below, we will provide some information about the keys we are using here:

  •  -sV will probe open ports to determine service/version info
  •  -T4 this setting is required to set up scan speed (T5 is the maximum, most aggressive scan)
  •  -F  means that we going to scan 100 most popular ports (this option also required for quick scans)
  •  --script vuln  tells Nmap to load specific NSE script, which will help us determine vulnerabilities with results based on port scanning and banner analysis

hping3

Hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP, and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features. It is one kind of tester for network security and one of the de-facto tools for security auditing and testing of firewalls and networks. It was used to exploit the idle scan scanning technique, which now is implemented in the Nmap scanner as well.

While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t care about security to test networks and hosts. A subset of the stuff you can do using hping include:

  • Firewall testing
  • Advanced port scanning
  • Network testing, using different protocols, TOS, and fragmentation
  • Manual path MTU discovery
  • Remote OS fingerprinting
  • Advanced traceroute under all the supported protocols
  • TCP/IP stacks auditing
  • Remote uptime guessing

Firewall Testing Scan Examples

First off, we are going to send a simple PING (ICMP Echo Request) packet to our target.

 
hping3 -1 -c 1 192.168.1.12
 

The –1 in this command tells hping3 to use ICMP, which, by default, sends an Echo Reply.
The -c 1 states that we only want to send 1 packet, and the 192.168.1.12 is our target. From the command output, we see that 1 packet was sent and received.

We going to test a well-known port 80 (HTTP). Since SYN is the first step in the three-way handshake of a TCP connection (SYN, SYN-ACK, ACK), if the port is open, we would receive the proper SYN-ACK response due to the target attempting to complete the connection. This is a popular technique used in port-scanning known as a “half-open connection.”

 
hping3 -S -c 1 -s 5151 -p 80 192.168.1.12
 

In the result, we should see that our target has responded, and the output shows “flags=SA,” confirming that we have received an SYN-ACK packet. Since our target responded with an SYN-ACK (marked by [S.]and ‘ack‘), we know that our target’s port 80 is open and accepting connections.

We saw in the previous example that when we send an SYN packet to an open port, we receive an SYN-ACK. So, let’s see what kind of response we get when we send an ACK packet (the final part of the three-way handshake).

 
hping3 -A -c 1 -s 5151 -p 80 192.168.1.12
 

In the server response, we can see that our target responded, but this time with the RST flag set. We have successfully tested a host, set up rules to correct the issues we’ve found, and retested for proper functionality.

Happy bypassing!

Leave a Reply