Firewall and IDS/IPS Evasion

Introduction

Nmap gives us many different ways to bypass firewalls rules and IDS/IPS.
These methods include the fragmentation of packets, the use of decoys, and others.

A firewall is a security measure against unauthorized connection attempts from external networks.
Every firewall security system is based on a software component that monitors network traffic between the firewall and incoming data connections and decides how to handle the connection based on the rules that have been set.

The intrusion detection system (IDS) and intrusion prevention system (IPS) are also software-based components.
IDS scans the network for potential attacks, analyzes them, and reports any detected attacks.
IPS complements IDS by taking specific defensive measures if a potential attack should have been detected.
The analysis of such attacks is based on pattern matching and signatures. If specific patterns are detected, such as a service detection scan, IPS may prevent the pending connection attempts.

When a port is shown as filtered, it can have several reasons. In most cases, firewalls have certain rules set to handle specific connections. The packets can either be dropped, or rejected.
The dropped packets are ignored, and no response is returned from the host.
This is different for rejected packets that are returned with an RST flag. These packets contain different types of ICMP error codes or contain nothing at all.
Such errors can be:
- Net Unreachable
- Net Prohibited
- Host Unreachable
- Host Prohibited
- Port Unreachable
- Proto Unreachable
Nmap's TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag.
Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

Unlike firewalls and their rules, the detection of IDS/IPS systems is much more difficult because these are passive traffic monitoring systems.
IDS systems examine all connections between hosts. If the IDS finds packets containing the defined contents or specifications, the administrator is notified and takes appropriate action in the worst case.
IPS systems take measures configured by the administrator independently to prevent potential attacks automatically.
It is essential to know that IDS and IPS are different applications and that IPS serves as a complement to IDS.
Several virtual private servers (VPS) with different IP addresses are recommended to determine whether such systems are on the target network during a penetration test.
If the administrator detects such a potential attack on the target network, the first step is to block the IP address from which the potential attack comes. As a result, we will no longer be able to access the network using that IP address.
One method to determine whether such IPS system is present in the target network is to scan from a single host (VPS). If at any time this host is blocked and has no access to the target network, we know that the administrator has taken some security measures. Accordingly, we can continue our penetration test with another VPS. Consequently, we know that we need to be quieter with our scans and, in the best case, disguise all interactions with the target network and its services.

There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS should block us. For this reason, the Decoy scanning method (-D) is the right choice.
With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent.
With this method, we can generate random (RND) a specific number (for example: 5) of IP addresses separated by a colon (:). Our real IP address is then randomly placed between the generated IP addresses.
Example: sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5
The spoofed packets are often filtered out by ISPs and routers, even though they come from the same network range.
We can also manually specify the source IP address (-S) to test if we get better results with this one.
Example (-e is used to specify the interface that the packets are going to go through): sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

By default, Nmap performs a reverse DNS resolution unless otherwise specified to find more important information about our target.
These DNS queries are also passed in most cases because the given web server is supposed to be found and visited.
The DNS queries are made over the UDP port 53. The TCP port 53 was previously only used for the so-called "Zone transfers" between the DNS servers or data transfer larger than 512 bytes (More and more, this is changing due to IPv6 and DNSSEC expansions. These changes cause many DNS requests to be made via TCP port 53.)
However, Nmap still gives us a way to specify DNS servers ourselves (--dns-server <Name Server> <Name Server>). This method could be fundamental to us if we are in a demilitarized zone (DMZ).
The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network.
As another example, we can use TCP port 53 as a source port (--source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.
Example (-n disables DNS resolution): sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

Last updated 7 months ago