Firewall and IDS/IPS Evasion

• Objective: Understand various techniques to bypass firewall rules and IDS/IPS using Nmap. Techniques include:

  • Packet fragmentation

  • Use of decoys

  • Changing source IP/port

  • Other methods

---

Firewalls

• Definition:

  A security mechanism that monitors and filters incoming network traffic.

• Functionality:

  • Examines network packets between external sources and the protected network.

  • Decides whether to pass, ignore, or block packets based on defined rules.

  • Rules might cause packets to be:

    • Dropped: No response is sent.

    • Rejected: A response (often with an RST flag or ICMP error) is sent back.

• Common ICMP Error Codes:

  • Net Unreachable

  • Net Prohibited

  • Host Unreachable

  • Host Prohibited

  • Port Unreachable

  • Proto Unreachable

---

Scanning Options Summary

• Common Options Used:

  • 10.129.2.28 – Target IP.

  • -p <ports> – Specify ports to scan.

  • sS – SYN scan.

  • sA – ACK scan.

  • Pn – Disable ICMP Echo requests.

  • n – Disable DNS resolution.

  • --disable-arp-ping – Prevent ARP ping.

  • --packet-trace – Show all sent/received packets.

  • D <decoys> – Use decoy IP addresses.

  • S <source_IP> – Specify source IP.

  • e <interface> – Use a specific network interface.

  • --source-port <port> – Use a specific source port.

Determining Firewalls and Their Rules

• Filtered vs. Rejected Ports:

  • Filtered: No response (packet is dropped).

  • Rejected: Response returned (often with an RST flag or specific ICMP error).

• Nmap Scans Overview:

  • SYN Scan (-sS):

    • Sends SYN packets to initiate connections.

    • For an open port, target typically replies with SYN-ACK.

  • ACK Scan (-sA):

    • Sends packets with only the ACK flag.

    • Used to check firewall filtering rules (since many firewalls allow ACK packets through regardless of connection state).

---

SYN Scan Example

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p 21,22,25 -sS -Pn -n --disable-arp-ping --packet-trace

• Observation:

  • Port 22: Received a SYN-ACK (open).

  • Ports 21 and 25: Filtered (ICMP error or no response).

• Scan Report:

  • 21/tcp: filtered (ftp)

  • 22/tcp: open (ssh)

  • 25/tcp: filtered (smtp)

---

ACK Scan Example

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p 21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace

• Observation:

  • Port 22: Returns an RST (indicating it is unfiltered).

  • Ports 21 and 25: Filtered (ICMP error or no response).

• Scan Report:

  • 21/tcp: filtered (ftp)

  • 22/tcp: unfiltered (ssh)

  • 25/tcp: filtered (smtp)

---

Decoys

• Purpose:

  • Hide the true origin of the scan by mixing real packets with decoy IP addresses.

• Usage in Nmap:

  • D RND:5 generates five random decoy IP addresses.

  • Your real IP is randomly inserted among these decoys.

• Example: Scan Using Decoys

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

• Observation:

  • The target sees multiple source IPs.

  • This can help bypass filters that block specific subnets.

• Note:

  • Spoofed packets might be dropped by ISPs/routers if not from the same network range.

  • You can also manually specify VPS IP addresses or manipulate IP IDs if needed.

---

OS Detection and Scanning with Different Source IP

• Testing Firewall Rules with OS Detection:

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p445 -O

• Scan Report:

  • 445/tcp: filtered (microsoft-ds)

  • OS detection may be inconclusive if not enough open/closed ports are found.

• Scan with a Different Source IP:

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

• Observation:

  • Using a different source IP (and a specific interface) might result in different firewall/IDS behavior.

  • 445/tcp now appears as open, and OS guesses (though not exact) are provided.

---

DNS Proxying and Source Port Manipulation

• DNS Queries:

  • By default, Nmap performs reverse DNS lookups.

  • Can be overridden by using -dns-server <ns>,<ns> to specify DNS servers (useful in DMZ scenarios).

• Using TCP Port 53:

  • Some firewalls might allow traffic from port 53 (trusted DNS).

  • You can specify the source port with -source-port 53.

---

SYN Scan of a Filtered Port

• Example:

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace

• Observation:

  • 50000/tcp: Filtered (e.g., ibm-db2)

  • Packets may be dropped, as shown by the packet trace.

---

SYN Scan from DNS Port

• Example:

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

• Observation:

  • The scan appears to succeed.

  • 50000/tcp: Open (ibm-db2)

  • Insight: Firewalls accepting TCP traffic from port 53 can allow packets through that would normally be filtered.

---

Connecting to the Filtered Port Using Netcat

• Example using Netcat (ncat):

z3tssu@htb[/htb]$ ncat -nv --source-port 53 10.129.2.28 50000

• Observation:

  • Connection is established.

  • Banner (e.g., 220 ProFTPd) is returned, indicating that the firewall/IDS might be lenient with traffic from port 53.

---

Labs and Practice

• Scenario Practice:

  • Multiple lab scenarios are provided to practice evading firewall rules and IDS/IPS.

  • The techniques should be applied as quietly as possible to avoid triggering automatic blocks by the target’s security systems.

---

These notes cover the key concepts and examples provided, preserving the essential code blocks and details on scanning options and techniques for bypassing firewall/IDS rules.