One of the easiest and most common ways for an attacker to slip by a firewall is by installing network software on an internal system, which communicates by using a port address permitted by the firewall’s configuration
- A popular port is TCP port 80, which is normally used by web server
- Many firewalls permit traffic using port 80 by default
Byepassing a firewall using HTTP Tunnel
Httptunnel creates a bi-directional virtual data path tunneled in HTTP requests. The requests can be sent via an HTTP proxy, if desired.
Placing Backdoors through Firewall
The Reverse WWW Shell
This backdoor should work through any firewall that allows users to surf the WWW. A program is run on the internal host, which produces a child everyday at a special time.
- For the firewall, this child acts like a user; using the browser client to surf the Internet. In reality, this child executes a local shell, and connects to the WWW server operated by the hacker via a legitimate-looking http request, and sends a stand-by signal
- The legitimate-looking answer of the WWW server operated by the hacker is, in reality, the command the child will execute on its machine in the local shell.
Hiding behind a Covert channel : Loki
LOKI is an information tunneling program.
LOKI uses Internet Control Message Protocol (ICMP) echo response packets to carry its payload. ICMP echo response packets are normally received by the Ping program, and many firewalls permit the responses to pass
Simple shell commands are used to tunnel inside ICMP_ECHO/ICMP_ECHOREPLY and DNS name lookup query/reply traffic. To the network protocol analyzer, this traffic seems like ordinary packets of the corresponding protocol. However, to the correct listener ( the LOKI2 daemon), the packets are recognized for what they really are.
Tools to Bye Pass Firewall
007 Shell is a covert shell ICMP tunneling program. It works similar to LOKI. 007 Shell works by putting data streams in the ICMP message past the usual 4-bytes (8-bit type, 8-bit code, and 16-bit checksum)
ICMP Shell (ISH) is a telnet-like protocol. It provides the capability of connecting a remote host to an open shell, using only ICMP for input and output The ISH server runs as a daemon on the server side. When the
server receives a request from the client, it will strip the header and look at the ID field. If it matches the server’s ID, then it will pipe the data to “/bin/sh.” It will then read the results from the pipe and send them back to
the client, where the client then prints the data to stdout.
A free circumvent software available online, perhaps powerful enough to bypass any industry level firewall at its default configuration.It enables users to browse any website freely just the same as using the regular browser while it automatically searches the highest speed proxy servers in the background.
AckCmd is a client/server combination for Windows 2000 that opens a remote command prompt to another system (running the server part of AckCmd). It communicates using only TCP ACK segments. This way the client component is able to directly contact the server component through the firewall.
Tor is a system intended to enable online anonymity, composed of client software and a network of servers which can hide information about users’ locations. Tor provides perfect anonymity it makes it more difficult to trace internet traffic to the user, including visits to Web sites, online posts, instant messages, and other communication forms.
Hope you enjoy above sessions. Keep visiting 🙂