This page has been robot translated, sorry for typos if any. Original content here.

Crawling and hacking a firewall or hacking online



  • [ 1. Introduction ]
  • [2. Principle of detection]
  • [3. Bypass principle]
  • [4. Conclusion]


  • [ 1. Introduction ]

    Many articles describing the principles of circumventing firewalls do not describe the main thing!
    How can I find them ... In this article I will try to fill
    This space and tell you at once about two principles: the principle of detection and
    getting around the firewall ...
    So let's go ...

    [2. Principle of detection]


    As it should be expected, each firewall has its own name, it means it has a certain “stamp” in
    networks, i.e. some firewalls open specials. port you can find out
    version, title and other interesting information. When a firewall is detected, you need to be
    very attentive and watch out for your eyes. Essentially Firewall Detection
    divided into several stages ... This is a banal scan, this is tracking routes,
    reading service banners, etc. I will try to tell each detection point
    more details. Just want to say that there are a number of specials. utilities that
    very good help in detecting firewalls ... I will also try to learn more about them
    to tell.

    So, it's time to learn more about the principles of detection.


    A. Banal scan

    I hope many of you have scanned the ports of any IP-address in the network ... Every service
    there is a unique port, whether it is ftp (21), http (80), ssh (22), etc., did not go around
    firewalls, but not all ... I must say that not all firewalls listen to the port. Some
    rye disguise themselves as demons like port 23 (they usually have the Cisco Router hanging on them or
    kind) I will give some list of ports on which firewalls sometimes hang or less
    jerys default:
    application: port:
    cisco-manager (mgmt) 4001 (6001, 2001)
    checkpoint DNS (53udp/tcp) RIP (520udp)
    cisco-xremotesrv 9001
    wingate 8080, 81
    realsecure 2998/2997/2999
    This is probably the most common firewall today.
    So, when connected to the above ports, it is possible to consider the service banner of the firewall.
    But again, I repeat that not always! I will also say that a properly configured firewall
    won't let you scan ports in the masses, i.e. you will not be able to scan the address if you
    nirovanija more than one port ... Then really the task of the attacking becomes complicated and
    It is necessary to invent some methods of scanning (whether it be scanning from a substitute source address).
    I also want to say that some firewalls are configured so that the internal network
    access is denied to everyone except their internal network you will not be able to join ports
    that are filtered by the firewall, if you don’t belong to the internal hosting network or
    local network ... There are not so many ways to circumvent such protections. I can only say that one of
    ways to scan "behind the firewall" came up with the well-known former editor of the magazine
    Phrack - Route. Its Firewalk utility is capable of scanning ports behind a firewall. But
    it also does not need to rely on all 100%, that it will correctly scan the ports, since
    Many firewalls are configured so that the firewall can determine the TLL of a packet before
    being (checking the list). Therefore, ICMP type packets notifying of TLL expiration will be detested.
    to go anyway ...

    We now turn to the item about tracking the route of the packet through the network ...

    B. Tracerouting

    I hope many people have come across a program like tracert or traceroute, so I’ll say that
    these programs are able to track the route of the packet through the network ...

    In WIN32 systems, the utility is tracert.exe, and on Unix Like systems, traceroute.

    Let's look at an example of passing a packet to identify a firewall on the way to pass
    Waiting for our udp / icmp package:

    Tracing the route to 168.75.176.102
    with a maximum number of hops 30:

    1 * 4366 ms * Loopback0.GW8.ALA2.nursat.net [195.82.29.53]
    2 3373 ms * 4287 ms Ethernet0-0-2.GW1.ALA2.nursat.net [195.82.28.7]
    3 * 4463 ms * Serial6-1.GW2.MOW1.nursat.net [195.82.28.198]
    4 * * * Превышен интервал ожидания для запроса.
    5 * * * Превышен интервал ожидания для запроса.
    6 * * * Превышен интервал ожидания для запроса.
    7 * * * Превышен интервал ожидания для запроса.
    8 2274 ms 971 ms 958 ms so-2-3-1-zar1.skt.cw.net [166.63.220.69]
    9 928 ms 945 ms 958 ms ge-3-3-0-ycr1.skt.cw.net [166.63.220.129]
    10 954 ms 958 ms * so-1-0-0-ycr1.cpi.cw.net [208.173.216.25]
    11 958 ms 958 ms 971 ms so-2-0-0-ycr2.cpi.cw.net [208.173.216.2]
    12 981 ms 958 ms 958 ms so-2-0-0-bcr1.amd.cw.net [208.173.211.233]
    13 1059 ms 1050 ms 1049 ms dcr1.nyk.cw.net [195.2.1.3]
    14 1050 ms 1037 ms 1036 ms 65.59.192.13
    15 1041 ms 1050 ms 1063 ms ge-0-3-0.bbr2.NewYork1.Level3.net [209.247.9.209]
    16 1050 ms 1036 ms 1076 ms ge-7-0-0.edge1.NewYork1.Level3.net [64.159.4.150]
    17 1050 ms 1063 ms 1050 ms xo-level3-oc12.NewYork1.Level3.net [209.244.160.178]
    18 1050 ms 1062 ms 1076 ms p5-0-0.RAR1.NYC-NY.us.xo.net [65.106.3.37]
    19 1115 ms 1523 ms 1757 ms p6-0-0.RAR2.Chicago-IL.us.xo.net [65.106.0.29]
    20 1324 ms 1471 ms 1324 ms p1-0-0.RAR1.Dallas-TX.us.xo.net [65.106.0.34]
    21 1141 ms 1141 ms 1141 ms p6-0-0.RAR2.LA-CA.us.xo.net [65.106.0.14]
    22 1732 ms 1377 ms 1456 ms p4-0-0.MAR2.LasVegas-NV.us.xo.net [65.106.5.34]
    23 1155 ms 1141 ms 1128 ms p15-0.CHR1.LasVegas-NV.us.xo.net [207.88.81.78]
    24 1404 ms 1181 ms * 66.238.47.34.ptr.us.xo.net [66.238.47.34]
    25 1614 ms 1378 ms 1378 ms 168.75.176.102

    Tracing completed.

    In the above example, the structure of the packet passing through the network is displayed very brightly.
    It can be assumed that the firewall creates a certain chain of addresses through which our
    package ... In the trace for jumps 1-3 you can observe that the dialup server filters by entering
    packets, then a packet is sent across the network along the chain of addresses ... In the final
    as a result, you can see that our package comes to its destination - 168.75.176.102 ... In this
    case, I can say that most likely the firewall is 66.238.47.34, although 100 percent re
    I do not give results, because In this case, you need to be extremely attentive ...

    C. Read service banners.

    Well, I think this method is extremely simple, although at the moment it is extremely difficult to find such a fire
    A wall that would display information about itself, but again, “what the hell is not joking” ... Reading
    banners is that when you connect to the firewall, you get some message
    from a remote firewall ... Ie when connecting, for example 295 (CheckPoint Firewall port),
    you will see information about the version of the firewall, then you can surely go look for
    in bugtraq vulnerability in this firewall, most often when I came across firewalls
    CheckPoint, I received some information, at first I didn’t understand at all that she
    means ... And it consists in the fact that when you connect to the CheckPoint firewall, it is you
    leads a certain sequence of numbers, for example: 30003, 30002, etc. As I later learned that
    this is typical of CheckPoint firewall ...

    Well, in fact, the most common ways to detect an enemy firewall ... Now
    I want to tell you several ways to bypass the detected firewall ...
    So let's go ...

    [3. Bypass principle]


    We start by saying that each firewall is configured to filter the packets that you
    send when you connect to any port on the remote machine. And this is happening on os
    Novelly compiled firewall rules. Those. when connected firewall reads the packet and ana
    lysing all the data ... Ie if your address is not in the firewall database, the firewall will not pass
    you to the internal network ... Many ways to circumvent the firewall come to mind. First, pozh
    Lui is the easiest way to work around this is scanning the firewall's subnet to find vulnerable users.
    tire and subsequent breaking them ... Just say that this method is not always rolls, because ho
    Most likely, the administrator will not put permission to enter the entire subnet, he will rather
    will put permission to select network machines ...

    There is another very interesting way: Tunneling ICMP / UDP packets ... It is
    Some firewalls do not have a rule to block ICMP ECHO, ICMP ECHO REPLY,
    UDP All this contributes to a good attack ... I will say that this method passes, if you find
    Stay on the subway firewall. For its implementation, you will need two programs - loki, lokid
    (daemon). In order to carry out the attack, you should install the daemon behind the firewall and after
    blowing operation using the loki utility ...

    [4. Conclusion]


    The conclusion can be made one - there is nothing perfect! In each device, program and
    etc. there will always be ways to break it, get around it, etc. Of course in this article
    all ways of circumventing firewalls are not presented ... There are a lot of ways ... As one hundred
    chickens appear new devices, new ways will appear ...