ADVANCED FIREWALL/IDS EVADING TECHNIQUES
The techniques that we have discussed here are very loud in nature and are often detected by firewalls and IDS. Even scan techniques such as XMAS, FIN, and NULL are not that accurate; also, they don’t work on the Windows operating system, so they have a limited advantage over firewalls and IDS.
In this section,I will discuss some of the techniques that can be used to evade firewall detection. There is no universal method to do this; it’s all based on trial and error. Thus, methods could work on some firewalls/IDS but fail with others. It all depends upon how strong the rule sets are.
The Nmap discusses a wide variety of techniques that could be used to get past firewalls.
We will now briefly look at some of them:
Timing technique
Fragmented packets
Source port scan
In this section,I will discuss some of the techniques that can be used to evade firewall detection. There is no universal method to do this; it’s all based on trial and error. Thus, methods could work on some firewalls/IDS but fail with others. It all depends upon how strong the rule sets are.
The Nmap discusses a wide variety of techniques that could be used to get past firewalls.
We will now briefly look at some of them:
Timing technique Fragmented packets Source port scanTIMING TECHNIQUE
The timing technique is one of the best techniques to evade firewalls/IDS. The idea behind this technique is to send the packets gradually, so they do not end up being detected by firewalls/IDS. In nmap we can launch a timing scan by specifying the T command followed by a number ranging from 0 to 5. Increasing the values from T0 to T5 would increase the speed of the scan.
T0—Paranoid
T1—Sneaky
T2—Polite
T3—Normal
T4—Aggressive
T5—Insane
Example
We will perform a sneaky scan (T1) and analyze its behavior in wireshark:
nmap –T1 <Target iP>
T1—Sneaky
T2—Polite
T3—Normal
T4—Aggressive
T5—Insane
Example
We will perform a sneaky scan (T1) and analyze its behavior in wireshark:
nmap –T1 <Target iP>
WIRESHARK OUTPUT
From the wireshark output, you can clearly see the “TCP” packets being sent after a certain
time interval.
time interval.
FRAGMENTED PACKETS
During fragmentation we split the packets into small chunks making it harder for the IDS to detect. They can get past some IDS because the IDS would analyze a single fragment but not all the packets. Therefore they will not find anything suspicious. However, many modern IDS can rebuild the fragments into a single packet, making them detectable.
Example
nmap –f 192.168.15.1
Example
nmap –f 192.168.15.1
WIRESHARK OUTPUT
This output shows us that the packets are divided into 8 bytes of data.
SOURCE PORT SCAN
It is very common for a network administrator to allow traffic from a certain source port. We can use this to our advantage to bypass badly configured firewalls. Common ports that we can specify as source are 53, 80, and 21.
Example
The –g parameter helps us specify a source port, which in this case is 53 (DNS).
nmap –PN –g 53 192.168.15.1
Example
The –g parameter helps us specify a source port, which in this case is 53 (DNS).
nmap –PN –g 53 192.168.15.1
No comments:
Post a Comment