This page has been robot translated, sorry for typos if any. Original content here.

Bypass and Hack Firewall or Internet Hacking



  • [ 1. Introduction ]
  • [2. Detection principle]
  • [3. The principle of circumvention]
  • [4. Conclusion]


  • [ 1. Introduction ]

    Many articles that describe how to bypass firewalls do not describe the main thing!
    How can I find them ... In this article I will try to make up
    this gap and tell you immediately about two principles: the principle of detection and
    bypassing the firewall ...
    So let's go ...

    [2. Detection principle]


    As expected, each firewall has its own name, which means it has a certain “brand” in
    network, i.e. some firewalls open special. port you can find out
    version, title and other interesting information. When a firewall is detected, you need to be
    very attentive and do not miss anything past your eyes. Essentially Firewall Detection
    divided into several stages ... This is a banal scan, this is route tracking,
    reading service banners, etc. I will try to tell about each detection point
    more details. I also want to say that there are a number of specials. utilities that
    help very well in detecting firewalls ... I will try to learn more about them too
    to tell.

    So, it's time to learn more about the principles of detection.


    A. Banal scanning

    I hope many of you have scanned the ports of any IP address on the network ... Each service
    there is a unique port, whether it be ftp (21), http (80), ssh (22), etc., did not bypass
    firewalls, but not all ... I must say that not all firewalls listen to the port. Some
    They disguise themselves as daemons like port 23 (usually a Cisco Router hangs on them or
    kind). Let me give you a list of ports on which firewalls sometimes hang or not.
    default jers:
    application: port:
    cisco-manager (mgmt) 4001 (6001, 2001)
    checkpoint DNS (53udp/tcp) RIP (520udp)
    cisco-xremotesrv 9001
    wingate 8080, 81
    realsecure 2998/2997/2999
    These are perhaps the most common firewalls to date.
    So, when connecting to the ports described above, it is possible to read the service banner of the firewall.
    But again I repeat that it’s not always! I will also say that a correctly configured firewall
    will not let you scan ports in the "masses", i.e. you can’t scan the address when
    more than one port ... Then the attacker's task is really complicated and
    It’s up to inventing some scanning methods (be it scanning from a swapping source address).
    I also want to say that some firewalls are configured so that the internal network
    access is denied to everyone except their internal network i.e. you cannot join the ports
    which are filtered by a firewall if you do not belong to the internal hosting network or
    local network ... There are not so many ways to circumvent such protections. I can only say that one of
    scanning methods "behind the firewall" came up with the well-known former editor of the magazine
    Phrack - Route. Its Firewalk utility is able to scan ports as if behind a firewall. But
    at the same time, you don’t need to rely on all 100% that it will scan the ports correctly because
    many firewalls are configured so that the firewall can detect the packet TLL before it
    being (list check). Therefore, packets of type ICMP notifying about the expiration of TLL will be sent
    anyway ...

    Now let's move on to the item on tracking the route of the packet through the network ...

    B. Tracerouting

    I hope many have come across a program like tracert or traceroute, and so I’ll say that
    these programs are able to track the route of the packet through the network ...

    On WIN32 systems, the tracert.exe utility, and on Unix Like systems, traceroute.

    Let's look at a packet passing example to identify a firewall on a pass path.
    Waiting for our udp / icmp package:

    Route trace to 168.75.176.102
    with a maximum number of jumps of 30:

    1 * 4366 ms * Loopback0.GW8.ALA2.nursat.net [195.82.29.53]
    2 3373 ms * 4287 ms Ethernet0-0-2.GW1.ALA2.nursat.net [195.82.28.7]
    3 * 4463 ms * Serial6-1.GW2.MOW1.nursat.net [195.82.28.198]
    4 * * * Превышен интервал ожидания для запроса.
    5 * * * Превышен интервал ожидания для запроса.
    6 * * * Превышен интервал ожидания для запроса.
    7 * * * Превышен интервал ожидания для запроса.
    8 2274 ms 971 ms 958 ms so-2-3-1-zar1.skt.cw.net [166.63.220.69]
    9 928 ms 945 ms 958 ms ge-3-3-0-ycr1.skt.cw.net [166.63.220.129]
    10 954 ms 958 ms * so-1-0-0-ycr1.cpi.cw.net [208.173.216.25]
    11 958 ms 958 ms 971 ms so-2-0-0-ycr2.cpi.cw.net [208.173.216.2]
    12 981 ms 958 ms 958 ms so-2-0-0-bcr1.amd.cw.net [208.173.211.233]
    13 1059 ms 1050 ms 1049 ms dcr1.nyk.cw.net [195.2.1.3]
    14 1050 ms 1037 ms 1036 ms 65.59.192.13
    15 1041 ms 1050 ms 1063 ms ge-0-3-0.bbr2.NewYork1.Level3.net [209.247.9.209]
    16 1050 ms 1036 ms 1076 ms ge-7-0-0.edge1.NewYork1.Level3.net [64.159.4.150]
    17 1050 ms 1063 ms 1050 ms xo-level3-oc12.NewYork1.Level3.net [209.244.160.178]
    18 1050 ms 1062 ms 1076 ms p5-0-0.RAR1.NYC-NY.us.xo.net [65.106.3.37]
    19 1115 ms 1523 ms 1757 ms p6-0-0.RAR2.Chicago-IL.us.xo.net [65.106.0.29]
    20 1324 ms 1471 ms 1324 ms p1-0-0.RAR1.Dallas-TX.us.xo.net [65.106.0.34]
    21 1141 ms 1141 ms 1141 ms p6-0-0.RAR2.LA-CA.us.xo.net [65.106.0.14]
    22 1732 ms 1377 ms 1456 ms p4-0-0.MAR2.LasVegas-NV.us.xo.net [65.106.5.34]
    23 1155 ms 1141 ms 1128 ms p15-0.CHR1.LasVegas-NV.us.xo.net [207.88.81.78]
    24 1404 ms 1181 ms * 66.238.47.34.ptr.us.xo.net [66.238.47.34]
    25 1614 ms 1378 ms 1378 ms 168.75.176.102

    Trace completed.

    In the above example, the structure of the packet passing through the network is very clearly displayed.
    We can assume that the firewall creates a certain chain of addresses that our
    packet ... In the trace for jumps 1-3, you can observe that the dialup server filters the input
    packets, then a packet is sent over the network along the chain of addresses ... Ultimately
    in the end, you can see that our package arrives at its destination - 168.75.176.102 ... In this
    case I can say that most likely the firewall is 66.238.47.34, although 100 percent
    I do not give results, tk. in this matter you need to be extremely careful ...

    C. Reading service banners.

    Well, this method I think is extremely simple, although at the moment it is extremely difficult to find such a fire
    a wall that would display information about itself, but again "what the hell is not joking" ... Reading
    banners is that when you connect to the firewall, you get a message
    from a remote firewall ... i.e. when connecting, for example 295 (CheckPoint Firewall port),
    you get information about the version of the firewall, then you can go with confidence to search
    in bugtraq, the vulnerability in this firewall is most often when I came across firewalls
    CheckPoint, I got some information, at first I didn’t understand at all that it was
    means ... And it consists in the fact that when you connect to the CheckPoint firewall, you
    leads a certain sequence of digits, for example: 30003, 30002, etc. As I later learned that
    it is peculiar to CheckPoint firewall ...

    Well, in fact, the most common ways to detect an enemy firewall ... Now
    I want to tell you several ways to bypass a detected firewall ...
    So let's go ...

    [3. The principle of circumvention]


    To begin with, each firewall is configured to filter packets that you
    send when you connect to any port on the remote machine. And this happens on wasps
    New rules of firewall. Those. when connected, the firewall reads the packet and
    lyses all the data ... i.e. if your address is not in the firewall database, the firewall will not miss
    you into the internal network ... Many ways to bypass the firewall come to mind. First, please
    Lui, the easiest workaround is to scan the firewall subnet to find vulnerable ma
    tires and their subsequent hacking ... I’ll also say that this method does not always roll, because ho
    your administrator will probably not set the logon permission to the entire subnet, he will probably
    will grant permission to selected network machines ...

    There is another very interesting way: Tunneling with ICMP / UDP packets ... It concludes
    The fact that some firewalls do not have a blocking rule ICMP ECHO, ICMP ECHO REPLY,
    UDP All this contributes to a good attack ... I’ll say that this method works if you find
    Go to the firewall subnet. To implement it, you will need two programs - loki, lokid
    (demon). In order to carry out the attack, you should install the daemon behind the firewall and after
    by using loki ...

    [4. Conclusion]


    One conclusion can be made - there is nothing perfect! In each device, program and
    etc. there will always be ways to break it in any way, circumvent it, etc. Of course in this article
    not all methods of bypassing firewalls are presented ... There are a lot of ways ... As one hundred
    new devices will appear, new ways will appear ...