The behavior of packets and its responses explained last post has been noted by a number of firewall vendors. By understanding such enumerations,  the have modified their security system’s for high anonymity by spoofing the source address of the RST/ACK packet to be that of the target host. As such, the response received by an inquisitive attacker is supposed to be a RST/ACK from the target, rather than the gateway.

This is, of course, uncertain as it implies that the packet has reached the target before being rejected, when we may have already assume that there is. But actually there is a gateway that is filtering the traffic.

Breaking any firewall need a vast knowledge on how any firewall works. But rather than that we can also have knowledge on how firewall vendors roved stealth to their systems.

Firewalls Break in Generally in modifies Firewall and Intrusion Detection Systems (IDS) environments, rather than denying unacceptable policies, they will simply drop the packet without any comment. As the scanner never receives a positive or negative response, there is no way of telling whether the packet did not reach the target because of network problems or whether the target no longer exists or if the packet was intentionally drop en route.

And this is where firewalls succeeds & hide from intruder the way network ports are responding and further attack chances are reduced. The resulting ambiguity and timeouts will slow down the scanning process, and prevent many tools from revealing information of any kind.

But this does not mean that this firewall is unbreakable, experiences one’s always have something strong in their hand named – Experience

Firewalk which was developed by two masterminds known as developed by Mike Schiffman and Dave Goldsmith furthers the techniques used both by static port traceroutes and hping.

It can be successfully implemented to scan a host downstream from a security gateway to assess what rules relate to the target system, without any packets having to reach it.

Firewalk utilizes the TTL functions to carry out the whole attack. This was different to analyze by any firewall. And so it was called as beyond the boundaries of security.

Some of the fact that should be true for any kind of firewall responses are:

If the packet is passed by the Firewall, a TTL expired should be received.

If the packet is blocked by the Firewall, this could be caused be either of the following:
An ICMP administratively prohibited response is received or The packet is dropped without comment. Again, uncertainty is introduced through packets lost in transit. Some security gateways will detect the packet is due to expire and send the expired message whether the policy would have allowed the packet or not.

Firewalls and intruders are always the big rivals as firewalls updates with technologies implemented by intruders. Which sometimes makes it harder for firewall vendors and sometimes for hackers.

If you use reverse connection you can also bypass Hardware Firewalls. The reverse connection is nothing more than the target server connect to the client instead of the client connect to the target server:

Client:20 <——- Target Server:30

Target Server:30 ——–> Client:20

A bi-directional connection between 2 sides has been established. Normally Hardware firewalls only filter/block the outbond traffic meaning that if a computer outside a LAN tries to connect to a computer inside a LAN that is behind a Router/Hardware Firewall it will run into errors like couldn´t connect to the remote computer and so on.

You must notice that this method will only work if the IP address of the computer behind a router is not restricted to access the internet. If only some ports were blocked in the firewall rule, then this method is better than IP spoof since it doesn´t change anything just creates a ‘tunnel’. It is also good to use this when a specific website or keyword to a service or website were used in the Firewall restriction or when you don´t have access to the Firewall Configuration and eventually want that someone outside the LAN access some service of the computer inside the LAN There are tools that creates a tunnel between the target server and the client. These are the TCP/UDP port redirector. A nice GUI (grphical user interface) tool is “WinIPRelay”. get it at http://voodootechs.com and open it.

Click the button “ADD RELAY”

In the field “Local Port” type the port of the local computer you want to use in the connection. Make sure it is not blocked or alredy being used. In the field “Remote Host” type the IP address or if it is a website type the URL

In the field “Remote Port” type the port of the remote computer that will be connecting to you. eg: if it´s a website then the port will usually be 80. if it is a service like Telnet the port is 23. If the remote computer wants to access a service on your computer (the one behind a LAN) then the remote port must be previously setup there, on the remote computer and then you type it in this field. In the field “Connection Timeout” type a numerical value to set the time in seconds that the connection will keep established.

Click OK.

Supposing the service you wanted to access is a website eg: www.msn.com and the local port u chose is 40 then you just open up your internet browser and type: 127.0.0.1:40 and the msn.com webpage will be displayed. Notice that the port 40 must not be blocked.

Now suppose you want your friend to access your telnet server on port 23. If he tries direct connection he won´t be able to connect, so he must open a port on his/her computer and start to listen for connections. Suppose the chosen port was 55 and his IP address is 33.33.33.33 open “WinIPRelay” and set the local port to 23, Remote host to 33.33.33.33 , remote port to 55 and Connection timeout to 999. if he open his command prompt and type: telnet 127.0.0.1 55 he will reverse connect to your telnet server.

HTTP Tunnel –> bi-directional/reverse connection between 2 hosts using port 80 on the computer behind the LAN and using only HTTP requests when establishing the connections.