We coverd firewall evasion tactics that are needed when conducting a red team engagement. Firewall Evasion tactics encompass using nmap scanner to send modified packets in addition to using networking tools such as Ncat and SSh to perform port forwarding or tunneling.

Get OSCP Certificate Notes

The Complete Practical Web Application Penetration Testing Course

Video Highlights

A firewall is a piece of hardware or software that watches network traffic and, before allowing or denying it, compares it to a set of rules. A guard or gatekeeper at the entrance to an event is a straightforward analogy. This gatekeeper has the ability to compare an individual’s ID against a list of regulations before permitting them to enter (or exit).

Firewall types based on packet filtering

Packet filtering firewalls or dubbed as stateless firewalls. These firewalls inspect each data packet as it travels through a network. They decide whether to block a specific packet based on the configured rules.
Application-layer firewalls can be a physical appliance using its own hardware or software-based installed on another machine, like a plug-in or a filter. These types of firewalls target applications and monitor their behavior. For example, if placed in front of a web server, they can inspect requests for HTTP connections and block abnormal floods of traffic indicating a DOS attack.
Circuit-level firewalls  check whether TCP and UDP connections across a network are valid before data is exchanged. For example, this type of firewall might first check whether the source and destination addresses, the user, the time, and the date meet certain defined rules. Data is exchanged between parties without further investigation when these checks pass, and a session starts.
Proxy server firewalls  or called as web application firewalls. They control the information that goes in and out of a network. This ability means the server can monitor, filter, and cache data requests to and from a network. Firewall proxy servers provide safe and secure internet access to all devices on a network. As depicted in the image below, there can be no communication between the client machine and the internet without the proxy server.
Stateful firewalls  inspect connections on a network. As traffic hits the firewall, it monitors all packets that go through it and stores a combination of information about the packets in a state table. The state table tracks sessions by recording port numbers as sessions start from inside the network and are transmitted outside of the network. Gathering this information helps the firewall recognize what legitimate traffic with the correct port numbers should look like upon its return, thus allowing legitimate replies back into the network.
Next-generation firewalls  perform many of the same functions as stateful firewalls but with more functions from other types of firewalls, such as packet filtering and VPN support. This type of firewall also investigates packets more thoroughly compared to stateful firewalls. For example, a next-generation firewall can examine the payload for each packet and inspect it for suspicious characteristics and malware. Examples include the Juniper SRX series and Cisco Firepower.

Firewalls Classifications

1. Hardware Firewall: An appliance firewall is a separate piece of hardware that the network traffic has to go through. Examples include Cisco ASA (Adaptive Security Appliance), WatchGuard Firebox, and Netgate pfSense Plus appliance.
2. Software firewall: This is a piece of software that comes bundled with the OS, or you can install it as an additional service. MS Windows has a built-in firewall, Windows Defender Firewall, that runs along with the other OS services and user applications. Another example is Linux iptables and firewalld.

Firewall Evasion Techniques in a nutshell

  • Decoy Scans using Nmap
  • Spoofed IP using Nmap
  • Using proxies with Nmap
  • Port tunneling & forwarding with SSH & Ncat.
  • Packet fragmentation with Nmap

Looking to practicse your firewall evasion skills? Check out TryHackMe Firewalls Room. Below you can find the answers as well

If you want to block telnet, which TCP port number would you deny?

You want to allow HTTPS, which TCP port number do you need to permit?

What is an alternate TCP port number used for HTTP? It is described as “HTTP Alternate.”

You need to allow SNMP over SSH, snmpssh. Which port should be permitted?

What is the most basic type of firewall?

What is the most advanced type of firewall that you can have on company premises?

Using this simple technique, discover which port number of the following destination TCP port numbers are reachable from the protected system.

  • 21
  • 23
  • 25
  • 26
  • 27

We have a web server listening on the HTTP port, 80. The firewall is blocking traffic to port 80 from the untrusted network; however, we have discovered that traffic to TCP port 8008 is not blocked. We’re continuing to use the web-form from Task 6 to set up the ncat listener that forwards the packets received to the forwarded port. Using port tunneling, browse to the web server and retrieve the flag.

We’re continuing to use the web-form from Task 6 to set up the ncat listener. Knowing that the firewall does not block packets to destination port 8081, use ncat to listen for incoming connections and execute Bash shell. Use the AttackBox to connect to the listening shell. What is the user name associated with which you are logged in?

What is the number of the highest OSI layer that an NGFW can process?

Video Walkthrough | YouTube

Video Walkthrough | Rumble

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles