Crawling and hacking a firewall or hacking online
[ 1. Introduction ]Many articles describing the principles of circumventing firewalls do not describe the main thing!
How can I find them ... In this article I will try to fill
This space and tell you at once about two principles: the principle of detection and
getting around the firewall ...
So let's go ...
[2. The principle of detection]
As one should expect, each firewall has its own name, it means it has a certain “mark” in
networks, i.e. Some firewalls open specials. port you can find out
version, title and other interesting information. When a firewall is detected, you need to be
very attentive and do not miss anything by their eyes. Essentially Firewall Detection
divided into several stages ... This is a banal scan, this is tracking routes,
read service banners, etc. About each detection point, I will try to tell
more details. I also want to say that there are a number of specials. utilities that
very good help in detecting firewalls ... I will also try to learn more about them
So, it's time to learn more about the principles of detection.
A. Banal scan
I hope many of you have scanned the ports of any IP-address in the network ... Each service
there is a unique port, whether it is ftp (21), http (80), ssh (22), etc., did not go around
firewalls, but not all ... I must say that not all firewalls listen to the port. Some
rye disguised as demons like port 23 (they usually have the Cisco Router hanging on them or
kind) I will give some list of ports on which firewalls sometimes hang or less
cisco-manager (mgmt) 4001 (6001, 2001)This is probably the most common firewall today.
checkpoint DNS (53udp/tcp) RIP (520udp)
wingate 8080, 81
So, when connected to the above ports, it is possible to consider the service banner of the firewall.
But again, I repeat that not always! I will also say that the correctly configured firewall
will not let you scan ports in the "masses", i.e. you will not be able to scan the address if ska
Nirovanija more than one port ... Then really the task of the attacking becomes complicated and
It is necessary to invent some methods of scanning (whether it be scanning from a substitute source address).
I also want to say that some firewalls are configured so that the internal network
access is denied to everyone except their own internal network you will not be able to join ports
that are filtered by the firewall, if you don’t belong to the internal hosting network or
local network ... There are not so many ways to circumvent such protections. I can only say that one of
ways to scan "behind the firewall" came up with the well-known former editor of the magazine
Phrack - Route. Its Firewalk utility is capable of scanning ports behind a firewall. But
it also does not need to rely on all 100%, that it will correctly scan the ports, since
Many firewalls are configured so that the firewall can determine the TLL of a packet before
being (checking the list). Therefore, ICMP type packets notifying of TLL expiration will be detested.
to go anyway ...
We now turn to the item about tracking the route of the packet through the network ...
I hope many people have come across a program like tracert or traceroute, so I’ll say that
these programs are able to track the route of the packet through the network ...
In WIN32 systems, the utility is tracert.exe, and on Unix Like systems - traceroute.
Let's look at an example of passing a packet to identify a firewall on the way to pass
Waiting for our udp / icmp package:
Tracing a route to 18.104.22.168
with a maximum number of hops 30:
1 * 4366 ms * Loopback0.GW8.ALA2.nursat.net [22.214.171.124]
2 3373 ms * 4287 ms Ethernet0-0-2.GW1.ALA2.nursat.net [126.96.36.199]
3 * 4463 ms * Serial6-1.GW2.MOW1.nursat.net [188.8.131.52]
4 * * * Превышен интервал ожидания для запроса.
5 * * * Превышен интервал ожидания для запроса.
6 * * * Превышен интервал ожидания для запроса.
7 * * * Превышен интервал ожидания для запроса.
8 2274 ms 971 ms 958 ms so-2-3-1-zar1.skt.cw.net [184.108.40.206]
9 928 ms 945 ms 958 ms ge-3-3-0-ycr1.skt.cw.net [220.127.116.11]
10 954 ms 958 ms * so-1-0-0-ycr1.cpi.cw.net [18.104.22.168]
11 958 ms 958 ms 971 ms so-2-0-0-ycr2.cpi.cw.net [22.214.171.124]
12 981 ms 958 ms 958 ms so-2-0-0-bcr1.amd.cw.net [126.96.36.199]
13 1059 ms 1050 ms 1049 ms dcr1.nyk.cw.net [188.8.131.52]
14 1050 ms 1037 ms 1036 ms 184.108.40.206
15 1041 ms 1050 ms 1063 ms ge-0-3-0.bbr2.NewYork1.Level3.net [220.127.116.11]
16 1050 ms 1036 ms 1076 ms ge-7-0-0.edge1.NewYork1.Level3.net [18.104.22.168]
17 1050 ms 1063 ms 1050 ms xo-level3-oc12.NewYork1.Level3.net [22.214.171.124]
18 1050 ms 1062 ms 1076 ms p5-0-0.RAR1.NYC-NY.us.xo.net [126.96.36.199]
19 1115 ms 1523 ms 1757 ms p6-0-0.RAR2.Chicago-IL.us.xo.net [188.8.131.52]
20 1324 ms 1471 ms 1324 ms p1-0-0.RAR1.Dallas-TX.us.xo.net [184.108.40.206]
21 1141 ms 1141 ms 1141 ms p6-0-0.RAR2.LA-CA.us.xo.net [220.127.116.11]
22 1732 ms 1377 ms 1456 ms p4-0-0.MAR2.LasVegas-NV.us.xo.net [18.104.22.168]
23 1155 ms 1141 ms 1128 ms p15-0.CHR1.LasVegas-NV.us.xo.net [22.214.171.124]
24 1404 ms 1181 ms * 126.96.36.199.ptr.us.xo.net [188.8.131.52]
25 1614 ms 1378 ms 1378 ms 184.108.40.206
In the above example, the structure of the packet passing through the network is displayed very brightly.
It can be assumed that the firewall creates a certain chain of addresses through which our
package ... In the trace for jumps 1-3 you can observe that the dialup server filters by entering
packets, then a packet is sent across the network along the chain of addresses ... In the final
as a result, you can see that our package comes to its destination - 220.127.116.11 ... In this
case, I can say that most likely the firewall is 18.104.22.168, although 100 percent re
I do not give results, because In this case, you need to be extremely attentive ...
C. Read service banners.
Well, I think this method is extremely simple, although at the moment it is extremely difficult to find such a fire
A wall that would display information about itself, but again, “what the hell is not joking” ... Reading
banners is that when you connect to the firewall, you get some message
from a remote firewall ... Ie when connecting, for example 295 (CheckPoint Firewall port),
you will see information about the version of the firewall, then you can confidently go look for
in bugtraq vulnerability in this firewall, most often when I came across firewalls
CheckPoint, I received some information, at first I didn’t understand at all that she
means ... And it consists in the fact that when you connect to the CheckPoint firewall, it is you
leads a certain sequence of numbers, for example: 30003, 30002, etc. As I later learned that
this is typical of CheckPoint Firewall ...
Well, in fact, the most common ways to detect an enemy firewall ... Now
I want to tell you several ways to bypass the detected firewall ...
So, let's go ...
[3. Bypass principle]
We start by saying that each firewall is configured to filter the packets that you
send when you connect to any port on the remote machine. And this happens on the wasps
Novel drawn up firewall rules. Those. when connected firewall reads the packet and ana
lysing all the data ... Ie if your address is not in the firewall database, the firewall will not miss
you to the internal network ... There are many ways to circumvent the firewall. First, pozh
Lui is the easiest way to get around this is scanning the firewall's subnet to find vulnerable ma
tire and subsequent breaking them ... Just say that this method is not always rolls, because ho
Most likely, the administrator will not set the permission to enter the entire subnet;
will put permission to select network machines ...
There is another very interesting way: Tunneling ICMP / UDP packets ... It concludes
Some firewalls do not have a rule to block ICMP ECHO, ICMP ECHO REPLY,
UDP All this contributes to a good attack ... I will say that this method passes, if you find
stay in the firewall subnet. For its implementation, you will need two programs - loki, lokid
(demon). In order to carry out the attack, you should install the daemon behind the firewall and after
blowing operation using the loki utility ...
The conclusion can be made one - there is nothing perfect! In each device, program and
etc. there will always be ways to break it in every way, get around, etc. Of course in this article
all ways of circumventing firewalls are not presented ... There are a lot of ways ... As one hundred
chickens appear new devices, new ways will appear ...