SCANNING BEYOND IDS AND FIREWALL

Greetings,

Scanning Beyond IDS and Firewall and Firewall Evasion concepts confused beginners a lot. It’s not about sending payload beyond IDS and Firewall.

Its about Evaluating the Security measures of the Perimeter devices such as Firewall and IDS ( Intrusion Detection System)

Our Job is not to Hack here. Its all about verifying things are in proper place or not.

So here we are to verify that by scanning beyond the Firewall and IDS. If we are successful in scanning the Target Machine ports with various techniques then IDS and Firewall needs to be taken care off.

We will see some of the Common techniques to evaluate the security of Firewall and IDS.

We can use NMAP, a tool from kali linux for scanning the target network.

Decoy Scanning:

It’s a type of scan where we use multiple decoys(Duplicate IPs) to fool the firewall, that it will get confused from which machine it is receiving the Packets.

COMMAND : nmap -D RND:10 <Target IP>
nmap -D IP1,IP2,IP3,IP4,IP5,IP6 <space> <Target IP>

IDLE SCANNING OR ZOMBIE SCANNING:

Idle Scanning is a technique where attacker can make use of another Device also along with it while scanning. The Target machine will get confused that it is receving the packets from the Zombie Machine.

Command : nmap -Pn <Target IP>
nmap -sI <zombie Machine> <Target IP> ———–> -sI( That is i)

Out of the above 2 commands, 2nd one is an outdated one. In recent days -Pn argument only works.

BADCHECK SUM PACKETS:

Including badcheck sum packets in between helps the attacker to bypass the Firewall and IDS. Badcheck sum is nothing but just corrupted packets in the middle.

command : nmap –badsum <Target IP>

SOURCE ROUTING:

Source routing is a technique to instruct the packet to take a direction in such it can bypass the Firewall Inspection. We have two methods of Source routing
Strict Source Routing
Loose Source Routing
When you the target network topology, you can instruct the packet stream to go in a series of nodes. You can Choose Loose source (L) routing when you are sure about your Network Topology where you can’t see any firewall in the middle before it reaches the victim machine.
Strict Source(S) routing you can use by mentioning all the nodes in the path one after another, so it will reach the target IP address.

Command: nmap –ip-options -L “IP1, IP2, IP3” <space> Target IP
nmap –ip-options -S “IP1, IP2, IP3 <space> Target IP

UNICODE EVASION :

If you make your Payloads in Unicode encoded Format, that may help you to bypass firewall and IDS.

e–>%u00e9(UTF-16)
/ –>%e2%89%a0(UTF-8).

The above mentioned samples are utf encoded characters. If your IDS or Firewall only verifies and checks for the ASCII Strings it needs to be properly configured. You can use these to bypass Web Application Firewall too (WAF)

SESSION SPLICING:

Splits the attack traffic to many so not even a single packet triggers IDS. If aware of delay in packet reassembly at the IDS, so we can add delays between packets transmission to bypass the reassembly.
Many IDS stop reassembly if they do not receive packets within certain time.
IDS will stop working if the target host keeps the session active for a longer time than IDS reassembly time.

You can add time delay between the packets using Packet Crafting tools such as Colasoft Packet builder and Scapy while you are making packets.

The above picture shows that this is also a tool to do alter the delay between the packets.

SUMMARY:

Bypassing or Evasion of IDS and Firewall Devices are not only for Bypassing and Sending up of Payload. Its all about evaluation of Security Measures in Place.

We have discussed various Techniques we can follow for Firewall and IDS Evasion Techniques theoretically. We will discuss all the techniques in Practical Method in the Next Blog.

Stay Tuned to learn More.

AUTHOR:

Sam Nivethan V J
Security Analyst & InfoSec Trainer