This page has been robot translated, sorry for typos if any. Original content here.

Bypass and hacking a firewall or Hacking on the Internet



  • [ 1. Introduction ]
  • [2. Principle of detection]
  • [3. Bypass Principle]
  • [4. Conclusion]


  • [ 1. Introduction ]

    Many articles describing the principles of circumventing firewalls do not describe the main thing!
    How can I find them ... In this article I will try to make up for
    this gap and tell you at once about two principles: the principle of detection and
    firewall ...
    So let's go ...

    [2. Principle of detection]


    As you might expect, each firewall has its own name, it means it has a certain "stigma" in it.
    network, i. some firewalls open spets. a port on which you can find out
    version, name and other interesting information. If you find a firewall, you need to be
    very attentive and not to miss anything by your eyes. In fact, the detection of a firewall
    divided into several stages ... This is a trivial scan, it's tracking the routes,
    reading service banners, etc. About each point of detection, I'll try to tell
    more. I also want to say that there are a number of specials. utilities that
    very well help with the detection of firewalls ... I will also try about them more
    to tell.

    So, it's time to learn more about the principles of detection.


    A. Trivial scanning

    I hope many of you have scanned in the network ports of any IP-address ... Each service
    there is a unique port, whether it's ftp (21), http (80), ssh (22), etc., did not pass
    firewalls, but not all ... Immediately I will say that not all firewalls listen to the port. Certainly
    disguised as daemons like port 23 (they usually hang on the Cisco Router or on it
    they are kind). I'll give you some list of ports on which the firewalls sometimes hang or their mene
    Default Jerries:
    application: port:
    cisco-manager (mgmt) 4001 (6001, 2001)
    checkpoint DNS (53udp/tcp) RIP (520udp)
    cisco-xremotesrv 9001
    wingate 8080, 81
    realsecure 2998/2997/2999
    This is probably the most common firewalls to date.
    So, when connecting to the above described ports, it is possible to consider a service banner firewall.
    But again, I repeat, that not always! I will also say that a properly configured firewall
    Do not let you scan the ports in "masses", i.e. you will not be able to scan the address, at ska
    more than one port ... Then really the task of the attacker is complicated and the
    There are some ways to scan (whether it's scanned from the source address).
    Just want to say that some firewalls are configured so that the internal network
    Access is denied to everyone except their own internal network ie. you can not join the ports,
    which are filtered by the firewall, if you do not belong to an internal hosting network or
    a local network ... There are not that many ways to circumvent such protections. I will only say that one of the
    methods of scanning "behind the firewall" was invented by the well-known former editor of the magazine
    Phrack - Route. Its utility Firewalk is capable of scanning ports as if behind a firewall. But
    In this case, you also do not need to rely on 100%, that it will scan the ports correctly.
    Many firewalls are configured so that the firewall can determine the TLL of the packet before it
    being (check on the list). Therefore, packets of the ICMP type warning about the expiration of the TLL will be
    in any case ...

    Now go to the point about tracking the route of the packet through the network ...

    B. Tracerouting

    Many I hope, faced with a program such as tracert or traceroute, so I say, then what?
    these programs are able to track the route of the packet through the network ...

    In WIN32 systems, the utility tracert.exe, and in Unix Like systems - traceroute.

    Let's look at an example of passing a packet to identify a firewall in the path of a proxy
    Our udp / icmp package:

    Route route to 168.75.176.102
    with a maximum number of jumps of 30:

    1 * 4366 ms * Loopback0.GW8.ALA2.nursat.net [195.82.29.53]
    2 3373 ms * 4287 ms Ethernet0-0-2.GW1.ALA2.nursat.net [195.82.28.7]
    3 * 4463 ms * Serial6-1.GW2.MOW1.nursat.net [195.82.28.198]
    4 * * * Превышен интервал ожидания для запроса.
    5 * * * Превышен интервал ожидания для запроса.
    6 * * * Превышен интервал ожидания для запроса.
    7 * * * Превышен интервал ожидания для запроса.
    8 2274 ms 971 ms 958 ms so-2-3-1-zar1.skt.cw.net [166.63.220.69]
    9 928 ms 945 ms 958 ms ge-3-3-0-ycr1.skt.cw.net [166.63.220.129]
    10 954 ms 958 ms * so-1-0-0-ycr1.cpi.cw.net [208.173.216.25]
    11 958 ms 958 ms 971 ms so-2-0-0-ycr2.cpi.cw.net [208.173.216.2]
    12 981 ms 958 ms 958 ms so-2-0-0-bcr1.amd.cw.net [208.173.211.233]
    13 1059 ms 1050 ms 1049 ms dcr1.nyk.cw.net [195.2.1.3]
    14 1050 ms 1037 ms 1036 ms 65.59.192.13
    15 1041 ms 1050 ms 1063 ms ge-0-3-0.bbr2.NewYork1.Level3.net [209.247.9.209]
    16 1050 ms 1036 ms 1076 ms ge-7-0-0.edge1.NewYork1.Level3.net [64.159.4.150]
    17 1050 ms 1063 ms 1050 ms xo-level3-oc12.NewYork1.Level3.net [209.244.160.178]
    18 1050 ms 1062 ms 1076 ms p5-0-0.RAR1.NYC-NY.us.xo.net [65.106.3.37]
    19 1115 ms 1523 ms 1757 ms p6-0-0.RAR2.Chicago-IL.us.xo.net [65.106.0.29]
    20 1324 ms 1471 ms 1324 ms p1-0-0.RAR1.Dallas-TX.us.xo.net [65.106.0.34]
    21 1141 ms 1141 ms 1141 ms p6-0-0.RAR2.LA-CA.us.xo.net [65.106.0.14]
    22 1732 ms 1377 ms 1456 ms p4-0-0.MAR2.LasVegas-NV.us.xo.net [65.106.5.34]
    23 1155 ms 1141 ms 1128 ms p15-0.CHR1.LasVegas-NV.us.xo.net [207.88.81.78]
    24 1404 ms 1181 ms * 66.238.47.34.ptr.us.xo.net [66.238.47.34]
    25 1614 ms 1378 ms 1378 ms 168.75.176.102

    Trace completed.

    In the above example, the structure of the packet passing through the network is very clearly displayed.
    We can assume that the firewall creates a certain chain of addresses, through which our
    package ... In the trace on jumps 1-3 you can see that the dialup server is filtering in
    packets, then the packet is sent over the network through the address chain ... In the final
    Finally you can see that our package comes to the destination - 168.75.176.102 ... In this
    I can say that it is more likely that the firewall is 66.238.47.34, although 100%
    I do not give the results, tk. in this case you need to be extremely careful ...

    C. Reading service banners.

    Well, this method I think is extremely simple, although at the moment it is extremely difficult to find such a fire
    a wolf that would have inferred information about itself, but again "what the hell is not joking" ... Read
    banners is that when you connect to the firewall, you get a message
    from a remote firewall ... Ie. at connection, for example 295 (port CheckPoint Firewall),
    You get information about the version of the firewall, then you can go with confidence
    in bugtraq vulnerability in this firewall, most often when I encountered firewalls
    CheckPoint, I was getting some information, at first I did not understand at all that she
    means ... And it consists that when you connect to the firewall CheckPoint, it you
    leads a certain sequence of numbers, for example: 30003, 30002, etc. As later I learned that
    this is typical of Firewall CheckPoint ...

    Well, as a matter of fact the most widespread ways of detection of an enemy firewall ... Now
    I want to tell you a few ways to circumvent the detected firewall ...
    So, let's go ...

    [3. Bypass Principle]


    We'll start with the fact that each firewall is configured to filter packets that you
    you send it when you connect to any port on the remote machine. And this happens on the wasps
    created firewall rules. Those. when connected, the firewall reads the package and an ana
    lyses all the data ... Ie. If your address is not in the base of the firewall, the firewall will not miss
    you into the internal network ... Many ways of circumventing the firewall come to mind. First, please
    lui the easiest way to bypass, is to scan the firewall subnet to find vulnerable ma
    tires and the subsequent breaking them ... I will also say that this method does not always roll, because ho
    A large administrator will most likely not be allowed to enter the entire subnet, but rather
    will put permission on selected network machines ...

    There is another very interesting way: Tunneling ICMP / UDP packets ... It concludes
    In some firewalls, there is no rule for blocking ICMP ECHO, ICMP ECHO REPLY,
    UDP. All this contributes to a good attack ... I will tell the tale that this method passes if you find
    Fire on the subnet of the firewall. To implement it you will need two programs: loki, lokid
    (daemon). In order to carry out the attack, you should install the daemon behind the firewall and after
    Using the loki utility ...

    [4. Conclusion]


    The conclusion can be made one - there is nothing perfect! In each device, program and
    etc. there are always ways to break it in every way, get around, and so on. Of course, in this article
    There are not all ways of circumventing firewalls ... There are a lot of ways ... As a hundred
    There are new ways to appear, new ways will appear ...