Nmap Firewall Evasion Techniques

Advisories

Feature Articles

Need an in-depth introduction to a new security topic? Our features articles will bring up up-to-date on everything from buffer overflows to SE Linux policy development.

Discover LinuxSecurity Features

Nmap Firewall Evasion Techniques

NMapFirewallEvasion 1

The primary goal of firewall penetration testing is to prevent unauthorized internet access to your organization's internal network, or check to make sure your security policy is doing what you think it's doing. In order to successfully test your organization's firewall, you must think like the adversary. Collecting intelligence on the network, such as operating system and firewall type, are important to know in order to proceed with the penetration test. 

A firewall penetration test's success is determined by a number of factors. Making sure firewall policies and rules are properly configured can greatly limit the success of attacks and prevent the majority of unauthorized connection attempts. The first step in firewall penetration testing is to find the firewall. Nmap, a popular open-source tool for network discovery and auditing, can be used to accomplish this. This tutorial will demonstrate how nmap can be used for firewall penetration testing to evaluate and improve the security of your network.

Detecting a Firewall

Determine Firewall Rules

Understanding firewall policies is the first step towards passing them. Firewall rules must be tested in a vigorous way to make sure they're protecting the internal systems the way we expect they are. Individual firewall subversion techniques each have a low probability of success, so admins should try as many different methods as possible. The attacker only needs to find one misconfiguration to succeed, while network defenders must close every hole.

Nmap distinguishes between ports that are reachable but closed and those that are actively filtered as much as possible. To obtain a deeper grasp of the network, start with a standard SYN port scan and work your way up to more advanced techniques like ACK scans and IP ID sequencing.

OS Detection

Nmap can run scans to detect the operating system, version, and services on a single or numerous devices. When conducting network penetration testing, detection scans are important to the enumeration process. It's critical to know where susceptible devices are on the network so that they can be repaired or replaced before being attacked.Other tests that make use of the information obtained are enabled by OS detection.

Run the following command to detect OS and Services

 nmap -A [Target IP]

https://lh3.googleusercontent.com/p2Cvl2b7P6Duvjq9_A0HiL5dYPqQ8LoTerR2XJHrkAMij-7rq5y1ZJXLSU02qDyk_KdtePtsr8SevasSOlYYlP7YcksgPFEIJptgEh6VvgYM-zDssLyYtgm63h1qrFqM6nInqAT5

https://lh3.googleusercontent.com/Upq2ld2oofd5Fi7-71CX5EpeMZGP5FAaGra_Xycg4eSZ4DxSj-7F01dRyRHQEp92mjg_LdQSpfQ47uClvoz8UatxGz1qUYE9LS5zgYzaihKnA9xT8MlS1ksvMRP_p_oMtRAtOoVk

Note: This command returns much more information than shown, however, I decided that this was the most relevant.

SYN Port Scanning

In Nmap, a stealth scan, also known as a half-open scan, is one of the scanning methods that an intruder can use to get beyond the firewall and authentication systems. Furthermore, by employing this strategy, the scan is disguised as typical network traffic, obscuring the scan. The connection is not fully established since the attacker does not send the ACK packet to the victim system. This type of scan can be used to prevent transmission from being captured in the target network.

nmap -sS -P0 [Target IP]

https://lh5.googleusercontent.com/X5c87vP5sSlUZYkvdT2TfTu4VYFwsH_k6HlllkaND56o1W7LzTVFmMOOnPtHvscLiUnoCBRpGiRxtA_QBieJ-ayBPPDscQWkH1ccmJyKyCLAOn0bZWJMTiqJT_73pYaOlLJgN303

ACK Probing

The goal of this type of scan is to learn more about filter settings rather than the condition of the port. This form of scanning is rarely useful on its own, but when paired with SYN scanning, it provides a more full picture of the firewall rules. Whenever a TCP ACK segment is sent to a closed port or sent out-of-sync to a listening port, the device is expected to respond with a RST, according to RFC 793. Receiving RSTs in response to an ACK scan provides useful information to the attacker, which can be used to determine the firewall present. Out-of-sync ACK packets will be discarded by stateful firewalls, resulting in no response. The port is marked as filtered when this happens.

For this scan, we will probe port 22:

 nmap -sA -p22 [Target IP]

https://lh5.googleusercontent.com/E0zQyDU_Nhhw4WkrcefuRUm2pYdmFKQQY-Hk3TIY1Aj-yRLPDBUWZw-yb0T5YfR8Rjx66DI7YSAWGlCxyxsCd9hW8YIx_lLcn38FDXuhZKBKx2OqE9uC9H347TQ2ZQXHXk-9SIyh

Firewall Evasion

Decoy Scan

Nmap can fake packets from other hosts in this type of scan. It will be far more difficult to tell which machine launched the scan because the firewall logs will include not just our IP address but also the IP addresses of the decoys. It's important to remember that the hosts you'll be using as decoys must be online for this method to work. Using a large number of decoys might also generate network congestion.

When performing this type of scan, you have two options.

nmap -D decoy1, decoy2, decoy3 etc. 

This option allows you to manually specify the IP addresses of the decoys

nmap -D RND:3 [Target IP] This option generates a random number of decoys. In this example we use 3 decoys.https://lh4.googleusercontent.com/FMa5qdrplkl2jdYzjUB3xTAfvSCCbmCwIScRYIG2tVhjzDjk4lZnbfP-tiQiu_JBJhBqkuCbM4Ob6z2KliQU8c9K23omz7lyMebF1iMfr8DNVxuxQjXkoALnicorSRi1KvOhBEXC

Below is a screenshot from wireshark demonstrating the random IP addresses of the decoys:

https://lh6.googleusercontent.com/sWiS6Lqy56onNEKXdUEu2Gi6XBlK4WmSlXnz5pQ8uJ7emOFWnwW3LJOWlomhGFcF5y9kBX92fv9Mh27KNYvK7DG2tSku1EI3Fzec1iUD_LMWWnpwIZPWqgDnRSXVEAYA-l8ntU_b

Fragment packets

IP packet fragments cause problems for some packet filters. Firewalls could reassemble the packets on their own, but it would necessitate additional resources. It's also possible that fragments will take separate paths, making reassembly impossible. Because of this complication, some filters discard all pieces, while others pass all but the first. If the first fragment isn't long enough to carry the entire TCP header, or if the second packet partially overwrites it, unexpected events can occur. This technique was very effective a long time ago but is now obsolete against today’s firewalls. However, you can still use it against a firewall that is improperly configured.

For this example we will target port 22:

nmap -f -p22 [Target IP]

https://lh5.googleusercontent.com/xdaGh2t_Xz7P8Iw6y1F5Gv1B1u9d2CdIzV46K2hKQcfZhpQaIhMxQyh3gplvTyatwOU6URJxt9kA56Gy89J3eZgpWbnXHZsi0NU4fdkDl3aTNbamnR4M8dgDU88mB0LpFkAv-aaF

Below is a screenshot from wireshark demonstrating the fragmented packets sent:

https://lh3.googleusercontent.com/3Jewpm-yebhzTcuri0a6xMG527_r6AYvAkM5KgAQJqHKHJ4RNNu8ccr4930z0rkMkmu9mZqeDw2mSlWSgWjJf8qhCTcls2SVZttST9f1AeSPQgmbrpM9UQ4R2R8wEfcrjaH156gu

Specifying MTU

Nmap allows the user to specify a specified MTU (Maximum Transmission Unit) for a packet. This is comparable to the packet fragmentation process. During the scan, Nmap will create packets with a size based on the number that we give. The number must be a multiple of 8. In this example we use 16:

nmap --mtu 16 [Target IP]

https://lh5.googleusercontent.com/cNze5RPbY2d9QEq3Fo8xEuwT0tb6d0dpgdRQa8jMmd-f1oOFtO_IBmps_UzZ3Jlxl73622zeY94LgU2QkxR5iQQc06xxhpnzievWPTdu1-m-IaMq4WYhPRZK2cZ07FnZRzLaq2yr

MAC Address Spoofing

Spoofing your host's MAC address is another way to get around firewall restrictions when running a port scan. This can be highly effective, especially if a MAC filtering rule is in place to allow only communication from specific MAC addresses, so you will need to find out which MAC address you need for this to work. Your scan will be more stealthy because your actual MAC address will not be visible in the firewall log files. The –spoof-mac option allows you to select a MAC address from a specified vendor, a random MAC address, or a specific MAC address of your own.

Nmap -sT -Pn –spoof-mac [Vendor or Specified MAC] [Target IP]

https://lh6.googleusercontent.com/M1Z9EvYNOe0fSkBaQNMBFSIiV6qLZaJMkDhcv6nCixYscqdGL1PmdtuX-f_S_KkBWCF9idO6s5di4ss5Fif6k44YIyxKbj8bqgBLtrZJs6dHy4xYfK2IDZJ1x-V5rZuoXEoWj32n

Source Port Manipulation

A common error system admins make is trusting traffic only based on the source port number. DNS may be damaged in particular because UDP DNS responses from external servers can no longer reach the network. Another common example is FTP. The remote server tries to establish a connection with the client to send the requested file during active FTP transfers. Secure solutions are available to address these issues, however, administrators continue to make the mistake of allowing incoming traffic from DNS and FTP ports, without securing them. 

To exploit these flaws, Nmap provides the -g and —source-port options. Provide a port number, and Nmap will send packets from that port if it is available. For specific OS detection tests to operate effectively, Nmap must use distinct port numbers. Most TCP scans, including SYN scan, and UDP scans, fully support the option.

nmap -g [Target IP]

https://lh6.googleusercontent.com/k1JqG-j4HOnZs1PW3rYUv6rf3bJlL2AOwXvCCmhNyWMm4xla4gdDu6daLKVvpbd0EwC03Vwr5Si7rAEBBYI4gnjY-z07uPOm3KTFPrzOFDAh3PYxoql3tcP5GyVqPHHbEQiJEGBF

Conclusion

Because firewalls are the first line of protection against outside incursions, firewall testing is one of the most critical types of network tests that can be performed. Many of these techniques may not work on a network with properly configured IDS and firewalls. Because each scenario is unique, you must determine which option will work best for you.

After testing, you should go through the policies and rules ensuring that they are properly configured. This can greatly limit the success of attacks and prevent the majority of unauthorized connection attempts. More tests should be done after this to confirm the expected configurations.

Once policies have been properly configured, you should make a report. It's just as crucial to document everything as it is to perform the test. Instead of waiting until the end of the test, add all important facts and tools as you go through the procedure. This will save time and confusion when it is time to make a report.




Comments (0)

There are no comments posted here yet