Premise

In this post, we went over fingerprinting and discovering firewalls and Instruction detection systems. We used fragscapy to send fragmented packets to evade firewalls and Intrusion detection systems. We also examined the traffic with Wireshark on Security Onion.

Skills Learned

  • Python
  • Fragscapy
  • Firewall Evasion
  • Wireshark
  • Security onion

About Fragscapy

This project is a command-line tool that can be used to generate ‘fragroute-like’ tests using Scapy.
Fragroute‘s goal was to intercept network packets and modify them “on-the-fly” according to the configuration defined in a config file. So automating tests of different modifications, requires to kill Fragroute, write a new config file and restart Fragroute over and over.

Source: https://github.com/AMOSSYS/Fragscapy

Setting the Stage

To start, I’ll set up a typical black box testing scenario. I’ll be using a Kali Linux machine as my attacking box and a Security Onion machine with UFW (Uncomplicated Firewall) enabled as our target. This will allow us to see how our evasion techniques work in a realistic environment.

I’ll also introduce you to a handy tool called wafw00f, which is designed to detect web application firewalls (WAFs). While I’ll encounter some connection issues with my test IP, it’s a great tool to have in your arsenal.

Introducing fragscapy

The main focus of this video is fragscapy, a powerful command-line tool that allows us to fragment packets. This is an upgraded version of the classic fragroute tool. I’ll show you how to download fragscapy from GitHub and, most importantly, how to configure it for our specific needs.

I’ll walk you through the process of modifying the fragscapy configuration files. We’ll be editing the ipv4_frag file to specify which commands’ packets we want to fragment. For example, we can configure it to fragment ping requests or even nmap scans.

Putting it all Together

With fragscapy configured, I’ll show you how to put it into action. I’ll start by launching Wireshark on our Security Onion machine to monitor the network traffic. Then, I’ll fire up fragscapy and initiate a ping request from our Kali machine. You’ll see in Wireshark that the ping requests are now fragmented, successfully bypassing the firewall. 🛡️

Next, I’ll take it a step further and attempt to fragment an Nmap scan. While I’ll run into a few hurdles with the configuration, I’ll show you how to get it working by running fragscapy and Nmap in separate terminals. You’ll see the fragmented Nmap packets in Wireshark, proving that our evasion techniques are working.

Technical Commands

Here are all the technical commands that I used in the video:

  • wafw00f
  • sudo wireshark
  • fragscapy start
  • sudo fragscapy start
  • which ping
  • locate which nmap
  • sudo nmap -sV 192.168.94.36

Video Walk-through

, , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles