Photo by Stillness InMotion on Unsplash There are several opportunities to test network penetration. These penetration tests are typically carried out by businesses in order to ascertain whether or not their network and all of the devices that are connected to their internal network are secure and up to date in accordance with the policies that they have established. Imagine that a firm has hired you to conduct a network-based penetration test for them, but all you have is a list of IP addresses, and even then, the corporation isn’t entirely sure how many IP addresses are used internally because there is always the possibility that there are more. If you haven’t developed your own approach, the first thing you’ll do is scan all of the IP addresses and all of the services that are operating on these IP addresses. If that doesn’t work, the next step is to design your own methodology. As soon as you have access to the services that are operating, you will be able to individually search for vulnerabilities and attempt to exploit them. But now things begin to take an unexpected turn. You will probably run into a firewall at some point, and it is possible that it will discard the packets that nmap generates (or any other port scanner). It turns out there are some methods that you can use to evade firewalls. Though all might not work depending upon the hardening applied on the firewall, it is worth giving a try. Out of the many evasion techniques, we’ll be discussing 2 here and a few more in the next blog post. Method 1 Change Scan Types Take a look at the image given above. This is a typical TCP packet. When you try to communicate, via the TCP standard, these packets are sent. If not explicitly mentioned, Nmap will also use TCP packets to scan the target. TCP headers have certain flags set depending upon what you wish to accomplish. These headers (as shown above) are: URG, ACK, PSH, RST, SYN, FIN. TCP Stealth Scan This is the default scan if you run nmap using the root/administrator account. Nmap provides a variety of scan options, each of which can be utilised by us in order to carry out the scanning on the host network. The –sS option gives users the ability to specify this scan’s parameters. This type of scan is rapid and can be helpful in evasion.Now what to do?
An initial TCP handshake is performed whenever a port scan is being carried out. This progresses through three stages. The client, which is you, initiates communication by sending a SYN request. The server then returns a SYN-ACK response, after which the client, which is you, initiates communication by sending an ACK request. The TCP handshake is now considered to have been successfully completed. In this manner, a standard port scan is carried out. You probably already know that this would take some time and that it would also be logged. This may immediately draw the attention of the security operations centre (SOC) team or the rules that are set up in a firewall.
An alternative is a TCP Stealth Scan. Here, the TCP handshake isn’t completed and stops as soon as the server sends a SYN-ACK response by the client (you) sending an RST request (to the server). This ensures that we don’t establish a complete TCP connection and since the server responded with TCP-ACK, we can confirm that the port is open.
Syntax: nmap –sS TARGET_ADDRESS
TCP Null Scan
This is a very particular kind of scan. It is common knowledge that a TCP packet has six flags. None of them have been decided upon. That each is positioned at 0 Because all of the flags have their values set to 0, there won’t be any reaction when a port is opened. On the other hand, in the event that it connects to a port that is in fact closed, the server will transmit a packet with the RST flag set. nmap uses this information to determine which ports are open and which are closed. This scan might show some of the false positives as it uses the RST packet to determine whether the port is open or closed.
Syntax: nmap –sN TARGET_ADDRESS
TCP FIN Scan
This operation is quite similar to a Null Scan, with the exception that the FIN Flag is being set. If the port is open, the server will not send a response back, but it will send a RST if the port is closed. If the port is open, the server will send no response back.
Syntax: nmap –sF TARGET_ADDRESS
Custom Scan
What if you want to experiment with a scan type that isn’t present on the list? Nmap gives you the freedom to introduce your scan type, with the — scanflag switch.
You can experiment with any of the above 6 flag types (URG, ACK, PSH, RST, SYN, FIN)
If I want to perform a scan with the RST, SYN and FIN flags set, the method is:
Syntax: nmap –scanflag RSTSYNFIN TARGET_ADDRESS
Note: All of the above scans require you to have administrative privileges.
Method 2:
Evading Firewall by controlling the Source IP address, Proxy, Mac Address and the Source Port Number
Although at first glance Nmap might appear to be no different than any other straightforward scanner now available on the market, this tool is in fact significantly more powerful than you could have anticipated. It is able to assist you spoof or mask your IP address, alter the mac address while performing port scans, relay the port scan through a proxy, and even configure a port number through which to send queries. All of these functions may be performed simultaneously.
Using Proxy
Using a proxy or a VPN when in public places is always beneficial and safe. During a network pentest, using a proxy can help you keep your IP address unknown, as all the TCP/UDP requests will be sent through the proxy. Suppose you want to proxy your requests through the IP address 10.10.10.10 (which is set as a proxy in your network), it might also be helpful when you need to use a specific IP address while scanning the network the syntax to use proxy during the scan is:
nmap –sS –proxies 10.10.10.10
Spoofing Mac Address
On some networks, filtering is done based on the MAC address. In the event that you scan a local network, the firewall may deny the requests that originate from your machine because your mac address is not whitelisted. In this scenario, you can easily change (spoof) your mac address by using the nmap. This can be accomplished by
nmap –spoof-mac 0
I’ve set it to 0. In this scenario, nmap will generate a random mac address for me and then scan the network. You can also set it to the one you prefer or that is allowed in the network.
Spoofing the IP Address
SourceIP spoofing has been around for ages. In IP Spoofing, IP spoofing works by setting the source IP Address of the device that you don’t own. This was for the most part done by attackers to cause a DoS attack on a particular device. In our case, we can set any IP address, as long as it is a part of our network. This is done to ensure that we can capture the replies sent by the server.
For example, if our attacker machine is 1.1.1.2 and the victim server is 2.2.2.2, and we control the 1.1.1.1 machine; we can set the Source IP address as 1.1.1.1
Now, since the Source IP address is set as 1.1.1.1, the response will be sent to 1.1.1.1 from 2.2.2.2 (ie the victim server)
Use cases of this technique depend on what you are trying to accomplish. If you don’t want your machine to be blacklisted, this could work as an excellent way.
Syntax: nmap –S 1.1.1.1 TARGET_ADDRESS
Fix the Source Port Number
We’ve talked about spoofing IP addresses, Mac Addresses and Proxies but what if the firewall is configured in a way that it only accepts packets from a specific port number? This can be accomplished using the –g or the –source-port switch.
Here, I’ve taken the source port as 80. Port 80 will be used to generate the requests.
Syntax: nmap –g 80 TARGET_ADDRESS
Conclusion
It’s possible that firewalls will make the process more difficult, but if they aren’t correctly configured, they can be circumvented. In this article, we went through a number of different hacks that can be utilised while conducting port scans. From TCP SYN scans through Null scans, FIN scans, Christmas scans, and faking IP and Mac addresses.
In the following post, we will go through several more approaches that can be taken.