Bypass and hacking a firewall or Hacking on the Internet
[ 1. Introduction ]Many articles describing the principles of circumventing firewalls do not describe the main thing!
How can I find them ... In this article I will try to make up for
this gap and tell you at once about two principles: the principle of detection and
So let's go ...
[2. Principle of detection]
As you might expect, each firewall has its own name, it means it has a certain "stigma" in it.
network, i. some firewalls open spets. a port on which you can find out
version, name and other interesting information. If you find a firewall, you need to be
very attentive and not to miss anything by your eyes. In fact, the detection of a firewall
divided into several stages ... This is a trivial scan, it's tracking the routes,
reading service banners, etc. About each point of detection, I'll try to tell
more. I also want to say that there are a number of specials. utilities that
very well help with the detection of firewalls ... I will also try about them more
So, it's time to learn more about the principles of detection.
A. Trivial scanning
I hope many of you have scanned in the network ports of any IP-address ... Each service
there is a unique port, whether it's ftp (21), http (80), ssh (22), etc., did not pass
firewalls, but not all ... Immediately I will say that not all firewalls listen to the port. Certainly
disguised as daemons like port 23 (they usually hang on the Cisco Router or on it
they are kind). I'll give you some list of ports on which the firewalls sometimes hang or their mene
cisco-manager (mgmt) 4001 (6001, 2001)This is probably the most common firewalls to date.
checkpoint DNS (53udp/tcp) RIP (520udp)
wingate 8080, 81
So, when connecting to the above described ports, it is possible to consider a service banner firewall.
But again, I repeat, that not always! I will also say that a properly configured firewall
Do not let you scan the ports in "masses", i.e. you will not be able to scan the address, at ska
more than one port ... Then really the task of the attacker is complicated and the
There are some ways to scan (whether it's scanned from the source address).
Just want to say that some firewalls are configured so that the internal network
Access is denied to everyone except their own internal network ie. you can not join the ports,
which are filtered by the firewall, if you do not belong to an internal hosting network or
a local network ... There are not that many ways to circumvent such protections. I will only say that one of the
methods of scanning "behind the firewall" was invented by the well-known former editor of the magazine
Phrack - Route. Its utility Firewalk is capable of scanning ports as if behind a firewall. But
In this case, you also do not need to rely on 100%, that it will scan the ports correctly.
Many firewalls are configured so that the firewall can determine the TLL of the packet before it
being (check on the list). Therefore, packets of the ICMP type warning about the expiration of the TLL will be
in any case ...
Now go to the point about tracking the route of the packet through the network ...
Many I hope, faced with a program such as tracert or traceroute, so I say, then what?
these programs are able to track the route of the packet through the network ...
In WIN32 systems, the utility tracert.exe, and in Unix Like systems - traceroute.
Let's look at an example of passing a packet to identify a firewall in the path of a proxy
Our udp / icmp package:
Route route to 126.96.36.199
with a maximum number of jumps of 30:
1 * 4366 ms * Loopback0.GW8.ALA2.nursat.net [188.8.131.52]
2 3373 ms * 4287 ms Ethernet0-0-2.GW1.ALA2.nursat.net [184.108.40.206]
3 * 4463 ms * Serial6-1.GW2.MOW1.nursat.net [220.127.116.11]
4 * * * Превышен интервал ожидания для запроса.
5 * * * Превышен интервал ожидания для запроса.
6 * * * Превышен интервал ожидания для запроса.
7 * * * Превышен интервал ожидания для запроса.
8 2274 ms 971 ms 958 ms so-2-3-1-zar1.skt.cw.net [18.104.22.168]
9 928 ms 945 ms 958 ms ge-3-3-0-ycr1.skt.cw.net [22.214.171.124]
10 954 ms 958 ms * so-1-0-0-ycr1.cpi.cw.net [126.96.36.199]
11 958 ms 958 ms 971 ms so-2-0-0-ycr2.cpi.cw.net [188.8.131.52]
12 981 ms 958 ms 958 ms so-2-0-0-bcr1.amd.cw.net [184.108.40.206]
13 1059 ms 1050 ms 1049 ms dcr1.nyk.cw.net [220.127.116.11]
14 1050 ms 1037 ms 1036 ms 18.104.22.168
15 1041 ms 1050 ms 1063 ms ge-0-3-0.bbr2.NewYork1.Level3.net [22.214.171.124]
16 1050 ms 1036 ms 1076 ms ge-7-0-0.edge1.NewYork1.Level3.net [126.96.36.199]
17 1050 ms 1063 ms 1050 ms xo-level3-oc12.NewYork1.Level3.net [188.8.131.52]
18 1050 ms 1062 ms 1076 ms p5-0-0.RAR1.NYC-NY.us.xo.net [184.108.40.206]
19 1115 ms 1523 ms 1757 ms p6-0-0.RAR2.Chicago-IL.us.xo.net [220.127.116.11]
20 1324 ms 1471 ms 1324 ms p1-0-0.RAR1.Dallas-TX.us.xo.net [18.104.22.168]
21 1141 ms 1141 ms 1141 ms p6-0-0.RAR2.LA-CA.us.xo.net [22.214.171.124]
22 1732 ms 1377 ms 1456 ms p4-0-0.MAR2.LasVegas-NV.us.xo.net [126.96.36.199]
23 1155 ms 1141 ms 1128 ms p15-0.CHR1.LasVegas-NV.us.xo.net [188.8.131.52]
24 1404 ms 1181 ms * 184.108.40.206.ptr.us.xo.net [220.127.116.11]
25 1614 ms 1378 ms 1378 ms 18.104.22.168
In the above example, the structure of the packet passing through the network is very clearly displayed.
We can assume that the firewall creates a certain chain of addresses, through which our
package ... In the trace on jumps 1-3 you can see that the dialup server is filtering in
packets, then the packet is sent over the network through the address chain ... In the final
Finally you can see that our package comes to the destination - 22.214.171.124 ... In this
I can say that it is more likely that the firewall is 126.96.36.199, although 100%
I do not give the results, tk. in this case you need to be extremely careful ...
C. Reading service banners.
Well, this method I think is extremely simple, although at the moment it is extremely difficult to find such a fire
a wolf that would have inferred information about itself, but again "what the hell is not joking" ... Read
banners is that when you connect to the firewall, you get a message
from a remote firewall ... Ie. at connection, for example 295 (port CheckPoint Firewall),
You get information about the version of the firewall, then you can go with confidence
in bugtraq vulnerability in this firewall, most often when I encountered firewalls
CheckPoint, I was getting some information, at first I did not understand at all that she
means ... And it consists that when you connect to the firewall CheckPoint, it you
leads a certain sequence of numbers, for example: 30003, 30002, etc. As later I learned that
this is typical of Firewall CheckPoint ...
Well, as a matter of fact the most widespread ways of detection of an enemy firewall ... Now
I want to tell you a few ways to circumvent the detected firewall ...
So, let's go ...
[3. Bypass Principle]
We'll start with the fact that each firewall is configured to filter packets that you
you send it when you connect to any port on the remote machine. And this happens on the wasps
created firewall rules. Those. when connected, the firewall reads the package and an ana
lyses all the data ... Ie. If your address is not in the base of the firewall, the firewall will not miss
you into the internal network ... Many ways of circumventing the firewall come to mind. First, please
lui the easiest way to bypass, is to scan the firewall subnet to find vulnerable ma
tires and the subsequent breaking them ... I will also say that this method does not always roll, because ho
A large administrator will most likely not be allowed to enter the entire subnet, but rather
will put permission on selected network machines ...
There is another very interesting way: Tunneling ICMP / UDP packets ... It concludes
In some firewalls, there is no rule for blocking ICMP ECHO, ICMP ECHO REPLY,
UDP. All this contributes to a good attack ... I will tell the tale that this method passes if you find
Fire on the subnet of the firewall. To implement it you will need two programs: loki, lokid
(daemon). In order to carry out the attack, you should install the daemon behind the firewall and after
Using the loki utility ...
The conclusion can be made one - there is nothing perfect! In each device, program and
etc. there are always ways to break it in every way, get around, and so on. Of course, in this article
There are not all ways of circumventing firewalls ... There are a lot of ways ... As a hundred
There are new ways to appear, new ways will appear ...