While mapping out firewall rules can be valuable, bypassingrules is often the primary goal. Nmap implements many techniques fordoing this, though most are only effective against poorly configurednetworks. Unfortunately, those are common. Individual techniqueseach have a low probability of success, so try as many different methodsas possible. The attacker need only find one misconfiguration to succeed, whilethe network defenders must close every hole.
The previous section discussed using an ACK scan to map outwhich target network ports are filtered. However, it could not determinewhich of the accessible ports were open or closed. Nmap offersseveral scan methods that are good at sneaking past firewalls whilestill providing the desired port state information.FIN scanis onesuch technique. In the section called “ACK Scan”, SYN and ACK scans were run against a machine named Para. The SYNscan showed only two open ports, perhaps due to firewall restrictions.Meanwhile, the ACK scan is unable to recognize open ports from closedones. Example 10.6 shows anotherscan attempt against Para, this time using a FIN scan.Because a naked FIN packet is being set, this packet flies past therules blocking SYN packets. While a SYN scan only found one open portbelow 100, the FIN scan finds both of them.
Example 10.6. FIN scan against stateless firewall
Many other scan types are worth trying, since the targetfirewall rules and target host type determine which techniques willwork. Some particularly valuable scan types areFIN,Maimon,Window,SYN/FIN, andNULL scans.These are all described in Chapter 5, Port Scanning Techniques and Algorithms.
Bypass FORTINET in No Time and access blocked site in easy step. Follow the video and Bypass FORTINET in No Time and access blocked site. If the trick works. How to Disable, Avoid or Bypass a Fortinet Web Filter. The Fortinet Web Filter is a URL filtering service designed to assist system administrators in blocking content on their network. Since Fortinet URL filtering rules are amassed from a global pool of data, the software can end up filtering out Websites containing. 2012-01-16 11:43:00. The best way to bypass your employer's Fortinet is to use a smartphone to watch YouTube. It solves the issue of tracking any security breach on their network. Just be careful not to get fired for watching videos at your job.
One surprisingly common misconfiguration is to trust trafficbased only on the source port number. It is easy to understand howthis comes about. An administrator will set up a shiny new firewall,only to be flooded with complains from ungrateful users whoseapplications stopped working. In particular, DNS may be brokenbecause the UDP DNS replies from external servers can no longer enterthe network. FTP is another common example. In active FTP transfers,the remote server tries to establish a connection back to the clientto transfer the requested file.
Secure solutions to these problems exist, often in the form ofapplication-level proxies or protocol-parsing firewall modules.Unfortunately there are also easier, insecure solutions. Noting thatDNS replies come from port 53 and active FTP from port 20, many administratorshave fallen into the trap of simply allowing incoming traffic fromthose ports. They often assume that no attacker would notice andexploit such firewall holes. In other cases, administrators consider this ashort-term stop-gap measure until they can implement a more securesolution. Then they forget the security upgrade.
Overworked network administrators are not the only ones to fallinto this trap. Numerous products have shipped with these insecurerules. Even Microsoft has been guilty. The IPsec filters thatshipped with Windows 2000 and Windows XP contain an implicit rule thatallows all TCP or UDP traffic from port 88 (Kerberos). Apple fansshouldn't get too smug about this because the firewall which shippedwith Mac OS X Tiger is just as bad. Jay Bealediscoveredthat even if you enable the “Block UDP Traffic” box in the firewallGUI, packets from port 67 (DHCP) and 5,353 (Zeroconf) pass rightthrough. Yet another pathetic example of this configuration is that Zone Alarm personal firewall (versions up to 2.1.25) allowed any incoming UDP packetswith the source port 53 (DNS) or 67 (DHCP).
Nmap offers the -g and--source-portoptions (they are equivalent) to exploit theseweaknesses. Simply provide a port number, and Nmap will send packetsfrom that port where possible. Nmap must use different port numbersfor certain OS detection tests to work properly. Most TCP scans, including SYN scan,support the option completely, as does UDP scan. In May 2004,JJ Grayposted example Nmap scans to Bugtraq that demonstrate exploitation ofthe Windows IPsec source port 88 bug against one of his clients. Anormal scan, followed by a -g 88 scan are shown inExample 10.7. Some output hasbeen removed for brevity and clarity.
Example 10.7. Bypassing Windows IPsec filter using source port 88
Note that the closed port 88 was the hint that lead JJ to tryusing it as a source port. For further information on thisvulnerability, see MicrosoftKnowledge Base Article 811832.
While IPv6 has not exactly taken the world by storm, it isreasonably popular in Japan and certain other regions. Whenorganizations adopt this protocol, they often forget to lock it downas they have instinctively learned to do with IPv4. Or they may tryto, but find that their hardware does not support IPv6 filteringrules. Filtering IPv6 can sometimes be more critical than IPv4because the expanded address space often allows the allocation ofglobally addressable IPv6 addresses to hosts that would normally haveto use theprivate IPv4 addressesspecified by RFC 1918.
Performing an IPv6 scan rather than the IPv4 default is often aseasy as adding -6to the command line. Certainfeatures such as OS detection and UDP scanning are not yet supportedfor this protocol, but the most popular features work. Example 10.8 demonstrates IPv4 and IPv6scans, performed long ago, of a well-known IPv6 development andadvocacy organization.
Example 10.8. Comparing IPv4 and IPv6 scans
The first scan shows numerous filtered ports, includingfrequently exploitable services such as SunRPC, Windows NetBIOS, andNFS. Yet scanning the same host with IPv6 shows no filtered ports!Suddenly SunRPC (port 111)is available, and waiting to be queried by an IPv6-enabledrpcinfoor by Nmap versiondetection, which supports IPv6. They fixed the issue shortly after Inotified them of it.
In order to perform an IPv6 scan, a system must be configuredfor IPv6. It must have an IPv6 address and routing information.Since my ISPs do not provide IPv6 addresses, I use the free IPv6 tunnelbrokerservice at http://www.tunnelbroker.net. Other tunnel brokers are listed at Wikipedia. 6to4 tunnels are another popular,free approach. Of course, this technique also requires that the targetuse IPv6.
The IP ID idle scan has a reputation for being one of the moststealthy scan types, since no packets are sent to the target from yourreal address. Open ports are inferred from the IP ID sequences of achosen zombie machine. A less recognized feature of idle scan is thatthe results obtained are actually those you would get if the zombiewas to scan the target host directly. In a similar way that the-g option allows exploitation of trusted sourceports, idle scan can sometimes exploit trusted source IP addresses.This ingenious scan type, which was originally conceived by securityresearcher Antirez, is described fully in the section called “TCP Idle Scan (-sI)”.
A common issue when trying to scan through firewalled networksis that dropped ping probes can lead to missed hosts. To reduce thisproblem, Nmap allows a very wide variety of probes to be sent inparallel. Hopefully at least one will get through. Chapter 3, Host Discovery (“Ping Scanning”) discusses these techniques in depth, including empirical data on thebest firewall-busting techniques.
Some packet filters have trouble dealing with IP packetfragments. They could reassemble the packets themselves, but thatrequires extra resources. There is also the possibility thatfragments will take different paths, preventing reassembly. Due tothis complexity, some filters ignore all fragments, while othersautomatically pass all but the first fragment. Interesting things canhappen if the first fragment is not long enough to contain the wholeTCP header, or if the second packet partially overwrites it. Thenumber of filtering devices vulnerable to these problems is shrinking,though it never hurts to try.
An Nmap scan will use tiny IP fragmentsif the-fis specified. By default Nmap will include up to eight bytes of data ineach fragment, so a typical 20 or 24 byte (depending on options) TCPpacket is sent in three tiny fragments. Every instanceof -f adds eight to the maximum fragment data size.So -f -f allows up to 16 data bytes within eachfragment. Alternatively, you can specify the --mtuoption and give the maximum data bytes as an argument.The --mtu argument must be a multiple of eight, andcannot be combined with the -f option.
Some source systems defragment outgoing packets in the kernel. Linuxwith the iptablesconnection tracking module is one such example. Do a scan while asniffer such asWiresharkis running to ensure that sent packets are fragmented. If your hostOS is causing problems, trythe --send-ethoption to bypass the IP layer and send raw ethernet frames.
Fragmentation is only supported for Nmap's raw packet features,which includes TCP and UDP port scans (except connect scan and FTPbounce scan) and OS detection. Features such as version detection andthe Nmap Scripting Engine generally don't support fragmentation becausethey rely on your host's TCP stack to communicate with target services.
Out-of-order and partially overlapping IP fragments can beuseful for Network research and exploitation, but that calls for aneven lower-level networking tool than Nmap. Nmap sends fragments inorder without any overlaps.
If a fragmented port scan gets through, a tool such as Fragroutecan be used to fragment other tools and exploits used toattack the host.
Application-level proxies, particularly for the Web, have becomepopular due to perceived security and network efficiency (throughcaching) benefits. Like firewalls and IDS, misconfigured proxies cancause far more security problems than they solve. The most frequentproblem is a failure to set appropriate access controls. Hundreds ofthousands of wide-open proxiesexist on the Internet, allowinganyone to use them as anonymous hopping points to other Internetsites. Dozens of organizations use automated scanners to find theseopen proxies and distribute the IP addresses. Occasionally theproxies are used for arguably positive things, such as escaping thedraconian censorship imposed by the Chinese government on itsresidents. This “great firewall of China” has been known to block theNew York Times web site as well as other news, political, and spiritualsites that the government disagrees with. Unfortunately, the openproxies are more frequently abused by more sinister folks who want toanonymously crack into sites, commit credit card fraud, or flood theInternet with spam.
While hosting a wide-open proxy to Internet resources can causenumerous problems, a more serious condition is when the open proxiesallow connections back into the protected network. Administrators whodecide that internal hosts must use a proxy to access Internetresources often inadvertently allow traffic in the opposite directionas well. The hackerAdrian Lamois famous for breaking into Microsoft,Excite, Yahoo, WorldCom, the New York Times, and other large networks,usually by exploiting this reverse-proxy technique.
Nmap does not presently offer a proxy scan-through option,though it is high on the priority list. the section called “SOLUTION: Hack Version Detection to Suit Custom Needs, such as Open Proxy Detection” discusses a way to find open proxies usingNmap version detection. In addition, plentyof dedicated free proxy scanners are available on Internet sites such asPacket Storm.Lists of thousands of open proxies are widespread as well.
Ethernet devices (including Wi-Fi) are identified by a uniquesix-byte media access control (MAC) address. The first three bytes makeup an organizationally unique identifier(OUI). This prefix is assigned to avendor by the IEEE. The vendor is then responsible for assigning theremaining three bytes uniquely in the adapters and devices it sells.Nmap includes a database which maps OUIs to the vendor names they areassigned to. This helps in identifying devices while scanning anetwork, though this section describes why it can't be completelytrusted. The OUI database file,nmap-mac-prefixes,is described in the section called “MAC Address Vendor Prefixes: nmap-mac-prefixes”.
While MAC addresses are pre-assigned to ethernet devices, theycan be changed with a driver on most current hardware. But since fewpeople change their MAC address (or even know they have one), manynetworks use them for identification and authorization purposes. Forexample, most wireless access points provide a configuration optionfor limiting access to a certain set of MAC addresses. Similarly,some paid or private networks will force you to authenticate or payafter you connect using a web form. Then they will allow you accessto the rest of the network based on your MAC address. Given that itis generally easy to sniff MAC addresses (they must be sent in everyframe sent and received), and then to spoof that MAC to gainunauthorized access to the network, this form of access control israther weak. It is also only effective at the edges of a network,since an end-host's MAC address is replaced when traversing arouter.
In addition to access control, MAC addresses are sometimes usedfor accountability. Network admins will record MAC addresses whenthey obtain a DHCP lease or when a new machine communicates on thenetwork. If network abuse or piracy complaints are received later,they figure out the MAC address based on the IP address and incidenttime. Then they use the MAC to track down the responsible machine andits owner. The ease of MAC address spoofing undermines this approachto some degree. Even when users are guilty, they may raise thespecter of MAC address spoofing to deflect responsibility.
Nmap supports MAC address spoofing with the--spoof-mac option.The argument given can take several forms. If it is simply the number 0, Nmap chooses a completely random MAC address for the session. If the given string is an even number of hex digits (with the pairs optionally separated by a colon), Nmap will use those as the MAC. If fewer than 12 hex digits are provided, Nmap fills in the remainder of the six bytes with random values. If the argument isn't a zero or hex string, Nmap looks through nmap-mac-prefixes to find a vendor name containing the given string (it is case insensitive). If a match is found, Nmap uses the vendor's OUI and fills out the remaining three bytes randomly. Valid --spoof-mac argument examples are Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco. This option implies --send-eth to ensure that Nmap actually sends ethernet-level packets. This option only affects raw packet scans such as SYN scan or OS detection, not connection-oriented features such as version detection or the Nmap Scripting Engine.
Even when MAC address spoofing isn't needed for network access,it can be used for deception. If I'm at a conference and launch ascan from my Thinkpad with --spoof-mac Apple,suspicious eyes may turn to the MacBook users in the room.
This old-school technique is still effective in some cases.Ifa particular router on the path is causing you trouble, try to find aroute around it. Effectiveness of this technique is limited becausepacket filtering problems usually occur on or near the target network.Those machines are likely to either drop all source routed packets orto be the only way into the network. Nmap supports both loose andstrict source routing using the--ip-options option.For example, specifying --ip-options 'L 192.168.0.7192.168.30.9' requests that the packet be loose source routedthrough those two given IP way points. Specify Sinstead of L for strict source routing. If youchoose strict source routing, keep in mind that you will have tospecify every single hop along the path.
For a real-life example of source routing used to evadefiltering policies on a modern network, seethe section called “A Practical Real-life Example of Firewall Subversion”. While IPv4 source routing isvery commonly blocked, theIPv6form of source routing is much morepervasive. An interesting article on that problem is available athttp://lwn.net/Articles/232781/.
If a source routed path to a target machine is discovered withNmap, exploitability is not limited to port scanning.Ncatcan enable TCP and UDP communication over source routed paths (use the-goption).
While only a small percentage of FTP servers are stillvulnerable, it is worth checking all of your clients' systemsfor this problem. At a minimum, it allows outside attackers toutilize vulnerable systems to scan other parties. Worseconfigurations even allow attackers to bypass the organization'sfirewalls. Details and examples of this technique are provided inthe section called “TCP FTP Bounce Scan (-b)”. Example 10.9 shows an HP printer beingused to relay a port scan. If this printer is behind theorganization's firewall, it can be used to scan normally inaccessible(to the attacker) internal addresses as well.
Example 10.9. Exploitinga printer with the FTP bounce scan
I hate to overuse the “think outside the box”cliché, but continually banging on the front door of a well-securednetwork is not always the best approach. Look for other ways in.Wardial their phone lines, attack subsidiaries who may have specialnetwork access, or show up at their offices with Wi-Fi sniffingequipment, or even sneak in and plug into a convenient ethernet jack.Nmap works well through all of these connections. Just make sure thatyourpenetration-testing contractcovers these methods before yourclient catches you in a ninja suit grappling onto their datacenterrooftop.
A Practical Real-life Example of Firewall Subversion
Now that many individual techniques forbypassing firewall rules have been covered, it is time to put them together in a real-life penetration testing scenario. Itall started witha postto the SecurityFocus pen-test list from security proMichael Cain.He and coworkerDemetris Papapetrouwere penetration testing theinternal network of a large corporation and had just bypassed firewall rules meant toprevent one VLAN from accessing another. I was pleased to read thatthey performed this feat using Nmap, and I wrote them for the wholestory. It is both instructional and inspirational in that itdemonstrates the value of perseverance and trying every technique youknow, even after the most common exploits fail. Don't let thatfirewall beat you!
The story starts with Michael and Demetris performing anNmap scan which shows that they arestuck on a heavily filtered network. They can reach somecorporate servers, but not any of the (potentially vulnerable) desktopclient machines which have to exist somewhere on the network. Perhaps they are on arestricted conference room or lobby network, or maybe a wirelessaccess point set up for corporate guests. Some of the discovered hosts and networksare shown in Example 10.10. A few details in thisstory (such as IP addresses) have been changed for confidentialityreasons. I will call the target corporation Megacorp.
Example 10.10. Some interesting hosts and networks at Megacorp
Given the goal of determining if any hosts are hiding on the10.10.10.0/24 network, Demetris starts with a simple ping scan usingICMP echo request queries (-PE). The results areshown in Example 10.11.
Example 10.11. Ping scan against the target network
The ping scan fails to find any responsive hosts. Demetris is understandably disappointed, but at least it makes thissection more interesting and instructive. Perhaps the network trulyis empty, but it could also be packed with vulnerable machines whichDemetris is blocked from accessing. He needs to dig deeper. InExample 10.12, Demetris chooses one IP onthat network and performs a ping scan. He specifies the packettracing (--packet-trace) and extra verbosity(-vv) options to determine what is going on at thepacket level. The reason for choosing just one IP is to avoid aconfusing flood of hundreds of packets.
Example 10.12. Packet trace against a single IP
It seems that Demetris is receiving ICMP host unreachablemessages when trying to scan these IPs (or at least this one). Routerscommonly do that when a host is unavailable and so they can't determinea MAC address. It is also occasionally caused by filtering.Demetris scans the other hosts on the network and verifies that theybehave the same way. It is possible that only ICMP packets arefiltered, so Demetris decides to try a TCP SYN scan. He runs thecommand nmap -vv -n -sS -T4 -Pn --reason10.10.10.0/24.All ports are shown as filtered, andthe --reason results blame some host unreachablemessages and some nonresponsive ports. The nonresponsive ports maybe due to rate limiting ofhost unreachablemessages sent by therouter. Many routers will only send one of these every few seconds.Demetris can verify whether rate limiting is the cause by running thescan again and seeing if the host unreachable messages come forexactly the same set of ports. If the ports are the same, it may be aspecific port-based filter. If Nmap receives host-unreachablemessages for different ports each time, rate limiting is likely thecause.
If a filter is causing the problem, it could be a simplestateless firewall as is commonly available on routers and switches.As discussed in previous sections, these sometimes allow TCP ACKpackets through unmolested. Demetris repeats the scan, butspecifies -sA for an ACK scan ratherthan -sS. Any unfiltered portsfound by the scan would suggest that the ACK packets made it throughand elicited a TCP RST response from the target host. Unfortunately,the results were all filtered in this case, just aswith the SYN scan.
Demetris decides to try something more advanced. He alreadyknows that port 445 is open on the Windows machine at 10.10.6.30(files2.megacorp.com) from his initial Nmap scan. While Demetrishasn't been able to reach the 10.10.10.0/24 network directly, perhaps files2 (beingan important company file server) is able to access that IP range.Demetris decides to try bouncing his scans off files2 using the IPID Idlescan. First he wants to ensure that files2 works as a zombie bytesting it against 10.10.6.60—a known-responsive machine with port 25 open. The results of this test are shown in Example 10.13.
Example 10.13. Testing an idle scan
Using 10.10.6.30 as an Idle Zombie didn't work out well. If theproblem was due to heavy traffic, he could try again in the middle ofthe night. The --packet-trace option combined withthorough reading of the section called “TCP Idle Scan (-sI)” couldhelp determine why 10.10.6.30 isn't working as a zombie. Demetristries the handful of other hosts he has found on the network, and nonework as zombies.
Demetris begins to worry about whether he will ever crack intothe 10.10.10.0/24 network. Fortunately, he is an old hand atthis and has another trick up his sleeve—IPsource routing.Inthe early days of the Internet (and even today with IPv6), sourcerouting was an important and widely deployed network diagnosis feature.It allows you to specify the hops you want a packet totake to its target rather than relying on normal routing rules. Withstrict source routing, you must specify every hop. Loosesource routing allows you to fill in key IP way points, while normalInternet routing fills in hop details between those way points.
Long ago the networking community reached consensus that sourcerouting is more trouble (particularly for security) than it isworth. Many (if not most) routers are configured to drop sourcerouted IPv4 packets, so some folks have considered the problem fixedsince the early 90's. Yet source routing, like SYN flooding andTelnet password sniffing, continues as a rare but potentrisk. Demetris tests this attack by ping-scanning files2(10.10.6.30) using packets loose-source-routed through the 10.10.6.60 mail server.Results are shown in Example 10.14.
Example 10.14. Testing source routing
Demetris is both surprised and delighted that the test works. He immediately turns his attention to his true target network, repeating his initial ping scan with an additional option: --ip-options 'L 10.10.6.60'. This time, Nmap reports that the machine at 10.10.10.7 is responsive. Demetris learns that it wasn't reachable before because the 10.10.10.0/24 and 10.10.5.0/24 subnets are on different router VLANs configured to prevent them from communicating to each other. Demetris' source routing technique opened a big loophole in that policy! Demetris follows up with a SYN scan of the 10.10.10.7 machine, as shown in Example 10.15.
Fortinet Firewall Default Login
Example 10.15. Success at last
How To Crack Fortinet Firewall Bypass Tool
Demetris omitted OS detection and version detectionfrom this initial scan, but this looks like a Windows machine from the openport profile. Demetris can now connect to and access these ports aslong as he uses tools such as Ncatwhich offer source routingoptions. I don't know what happens next in the story, but I'mguessing that it involves Demetris fully penetrating the networkand then helping the company redesign it more securely.