Bypass and Hack Firewall or Internet Hacking
[ 1. Introduction ]Many articles that describe how to bypass firewalls do not describe the main thing!
How can I find them ... In this article I will try to make up
this gap and tell you immediately about two principles: the principle of detection and
bypassing the firewall ...
So let's go ...
[2. Detection principle]
As expected, each firewall has its own name, which means it has a certain “brand” in
network, i.e. some firewalls open special. port you can find out
version, title and other interesting information. When a firewall is detected, you need to be
very attentive and do not miss anything past your eyes. Essentially Firewall Detection
divided into several stages ... This is a banal scan, this is route tracking,
reading service banners, etc. I will try to tell about each detection point
more details. I also want to say that there are a number of specials. utilities that
help very well in detecting firewalls ... I will try to learn more about them too
So, it's time to learn more about the principles of detection.
A. Banal scanning
I hope many of you have scanned the ports of any IP address on the network ... Each service
there is a unique port, whether it be ftp (21), http (80), ssh (22), etc., did not bypass
firewalls, but not all ... I must say that not all firewalls listen to the port. Some
They disguise themselves as daemons like port 23 (usually a Cisco Router hangs on them or
kind). Let me give you a list of ports on which firewalls sometimes hang or not.
cisco-manager (mgmt) 4001 (6001, 2001)These are perhaps the most common firewalls to date.
checkpoint DNS (53udp/tcp) RIP (520udp)
wingate 8080, 81
So, when connecting to the ports described above, it is possible to read the service banner of the firewall.
But again I repeat that it’s not always! I will also say that a correctly configured firewall
will not let you scan ports in the "masses", i.e. you can’t scan the address when
more than one port ... Then the attacker's task is really complicated and
It’s up to inventing some scanning methods (be it scanning from a swapping source address).
I also want to say that some firewalls are configured so that the internal network
access is denied to everyone except their internal network i.e. you cannot join the ports
which are filtered by a firewall if you do not belong to the internal hosting network or
local network ... There are not so many ways to circumvent such protections. I can only say that one of
scanning methods "behind the firewall" came up with the well-known former editor of the magazine
Phrack - Route. Its Firewalk utility is able to scan ports as if behind a firewall. But
at the same time, you don’t need to rely on all 100% that it will scan the ports correctly because
many firewalls are configured so that the firewall can detect the packet TLL before it
being (list check). Therefore, packets of type ICMP notifying about the expiration of TLL will be sent
Now let's move on to the item on tracking the route of the packet through the network ...
I hope many have come across a program like tracert or traceroute, and so I’ll say that
these programs are able to track the route of the packet through the network ...
On WIN32 systems, the tracert.exe utility, and on Unix Like systems, traceroute.
Let's look at a packet passing example to identify a firewall on a pass path.
Waiting for our udp / icmp package:
Route trace to 126.96.36.199
with a maximum number of jumps of 30:
1 * 4366 ms * Loopback0.GW8.ALA2.nursat.net [188.8.131.52]
2 3373 ms * 4287 ms Ethernet0-0-2.GW1.ALA2.nursat.net [184.108.40.206]
3 * 4463 ms * Serial6-1.GW2.MOW1.nursat.net [220.127.116.11]
4 * * * Превышен интервал ожидания для запроса.
5 * * * Превышен интервал ожидания для запроса.
6 * * * Превышен интервал ожидания для запроса.
7 * * * Превышен интервал ожидания для запроса.
8 2274 ms 971 ms 958 ms so-2-3-1-zar1.skt.cw.net [18.104.22.168]
9 928 ms 945 ms 958 ms ge-3-3-0-ycr1.skt.cw.net [22.214.171.124]
10 954 ms 958 ms * so-1-0-0-ycr1.cpi.cw.net [126.96.36.199]
11 958 ms 958 ms 971 ms so-2-0-0-ycr2.cpi.cw.net [188.8.131.52]
12 981 ms 958 ms 958 ms so-2-0-0-bcr1.amd.cw.net [184.108.40.206]
13 1059 ms 1050 ms 1049 ms dcr1.nyk.cw.net [220.127.116.11]
14 1050 ms 1037 ms 1036 ms 18.104.22.168
15 1041 ms 1050 ms 1063 ms ge-0-3-0.bbr2.NewYork1.Level3.net [22.214.171.124]
16 1050 ms 1036 ms 1076 ms ge-7-0-0.edge1.NewYork1.Level3.net [126.96.36.199]
17 1050 ms 1063 ms 1050 ms xo-level3-oc12.NewYork1.Level3.net [188.8.131.52]
18 1050 ms 1062 ms 1076 ms p5-0-0.RAR1.NYC-NY.us.xo.net [184.108.40.206]
19 1115 ms 1523 ms 1757 ms p6-0-0.RAR2.Chicago-IL.us.xo.net [220.127.116.11]
20 1324 ms 1471 ms 1324 ms p1-0-0.RAR1.Dallas-TX.us.xo.net [18.104.22.168]
21 1141 ms 1141 ms 1141 ms p6-0-0.RAR2.LA-CA.us.xo.net [22.214.171.124]
22 1732 ms 1377 ms 1456 ms p4-0-0.MAR2.LasVegas-NV.us.xo.net [126.96.36.199]
23 1155 ms 1141 ms 1128 ms p15-0.CHR1.LasVegas-NV.us.xo.net [188.8.131.52]
24 1404 ms 1181 ms * 184.108.40.206.ptr.us.xo.net [220.127.116.11]
25 1614 ms 1378 ms 1378 ms 18.104.22.168
In the above example, the structure of the packet passing through the network is very clearly displayed.
We can assume that the firewall creates a certain chain of addresses that our
packet ... In the trace for jumps 1-3, you can observe that the dialup server filters the input
packets, then a packet is sent over the network along the chain of addresses ... Ultimately
in the end, you can see that our package arrives at its destination - 22.214.171.124 ... In this
case I can say that most likely the firewall is 126.96.36.199, although 100 percent
I do not give results, tk. in this matter you need to be extremely careful ...
C. Reading service banners.
Well, this method I think is extremely simple, although at the moment it is extremely difficult to find such a fire
a wall that would display information about itself, but again "what the hell is not joking" ... Reading
banners is that when you connect to the firewall, you get a message
from a remote firewall ... i.e. when connecting, for example 295 (CheckPoint Firewall port),
you get information about the version of the firewall, then you can go with confidence to search
in bugtraq, the vulnerability in this firewall is most often when I came across firewalls
CheckPoint, I got some information, at first I didn’t understand at all that it was
means ... And it consists in the fact that when you connect to the CheckPoint firewall, you
leads a certain sequence of digits, for example: 30003, 30002, etc. As I later learned that
it is peculiar to CheckPoint firewall ...
Well, in fact, the most common ways to detect an enemy firewall ... Now
I want to tell you several ways to bypass a detected firewall ...
So let's go ...
[3. The principle of circumvention]
To begin with, each firewall is configured to filter packets that you
send when you connect to any port on the remote machine. And this happens on wasps
New rules of firewall. Those. when connected, the firewall reads the packet and
lyses all the data ... i.e. if your address is not in the firewall database, the firewall will not miss
you into the internal network ... Many ways to bypass the firewall come to mind. First, please
Lui, the easiest workaround is to scan the firewall subnet to find vulnerable ma
tires and their subsequent hacking ... I’ll also say that this method does not always roll, because ho
your administrator will probably not set the logon permission to the entire subnet, he will probably
will grant permission to selected network machines ...
There is another very interesting way: Tunneling with ICMP / UDP packets ... It concludes
The fact that some firewalls do not have a blocking rule ICMP ECHO, ICMP ECHO REPLY,
UDP All this contributes to a good attack ... I’ll say that this method works if you find
Go to the firewall subnet. To implement it, you will need two programs - loki, lokid
(demon). In order to carry out the attack, you should install the daemon behind the firewall and after
by using loki ...
One conclusion can be made - there is nothing perfect! In each device, program and
etc. there will always be ways to break it in any way, circumvent it, etc. Of course in this article
not all methods of bypassing firewalls are presented ... There are a lot of ways ... As one hundred
new devices will appear, new ways will appear ...