Premise
In this post, we went over fingerprinting and discovering firewalls and Instruction detection systems. We used fragscapy to send fragmented packets to evade firewalls and Intrusion detection systems. We also examined the traffic with Wireshark on Security Onion.
Skills Learned
- Python
- Fragscapy
- Firewall Evasion
- Wireshark
- Security onion
About Fragscapy
This project is a command-line tool that can be used to generate ‘fragroute-like’ tests using Scapy.
Fragroute‘s goal was to intercept network packets and modify them “on-the-fly” according to the configuration defined in a config file. So automating tests of different modifications, requires to kill Fragroute, write a new config file and restart Fragroute over and over.
Setting the Stage
To start, I’ll set up a typical black box testing scenario. I’ll be using a Kali Linux machine as my attacking box and a Security Onion machine with UFW (Uncomplicated Firewall) enabled as our target. This will allow us to see how our evasion techniques work in a realistic environment.
I’ll also introduce you to a handy tool called wafw00f
, which is designed to detect web application firewalls (WAFs). While I’ll encounter some connection issues with my test IP, it’s a great tool to have in your arsenal.
Introducing fragscapy
The main focus of this video is fragscapy
, a powerful command-line tool that allows us to fragment packets. This is an upgraded version of the classic fragroute
tool. I’ll show you how to download fragscapy
from GitHub and, most importantly, how to configure it for our specific needs.
I’ll walk you through the process of modifying the fragscapy
configuration files. We’ll be editing the ipv4_frag
file to specify which commands’ packets we want to fragment. For example, we can configure it to fragment ping
requests or even nmap
scans.
Putting it all Together
With fragscapy
configured, I’ll show you how to put it into action. I’ll start by launching Wireshark on our Security Onion machine to monitor the network traffic. Then, I’ll fire up fragscapy
and initiate a ping
request from our Kali machine. You’ll see in Wireshark that the ping requests are now fragmented, successfully bypassing the firewall. 🛡️
Next, I’ll take it a step further and attempt to fragment an Nmap scan. While I’ll run into a few hurdles with the configuration, I’ll show you how to get it working by running fragscapy
and Nmap in separate terminals. You’ll see the fragmented Nmap packets in Wireshark, proving that our evasion techniques are working.
Technical Commands
Here are all the technical commands that I used in the video:
wafw00f
sudo wireshark
fragscapy start
sudo fragscapy start
which ping
locate which nmap
sudo nmap -sV 192.168.94.36