1 00:00:00,840 --> 00:00:03,630 -: Let us talk about different options we can use 2 00:00:03,630 --> 00:00:06,600 in our scans to bypass firewall. 3 00:00:06,600 --> 00:00:09,360 Firewall is something unpredictable. 4 00:00:09,360 --> 00:00:10,920 You don't really know its rules 5 00:00:10,920 --> 00:00:12,554 in order to know exactly what type 6 00:00:12,554 --> 00:00:16,170 of scan you need to perform in order to bypass it. 7 00:00:16,170 --> 00:00:19,050 Some of the firewalls could use MAC address filtering 8 00:00:19,050 --> 00:00:21,750 in order to allow certain devices to connect 9 00:00:21,750 --> 00:00:26,100 to a specific port or in order to block a certain devices. 10 00:00:26,100 --> 00:00:29,100 Some firewalls could block different types of packets. 11 00:00:29,100 --> 00:00:32,070 Some firewalls could block only some ports and not all 12 00:00:32,070 --> 00:00:37,070 of them, and we can't really know what the exact rule is. 13 00:00:37,470 --> 00:00:39,300 What I'm going to do is I will give you 14 00:00:39,300 --> 00:00:40,770 a few different options as 15 00:00:40,770 --> 00:00:43,770 to what you can try in order to bypass firewall. 16 00:00:43,770 --> 00:00:45,960 First of all, how can we know if some 17 00:00:45,960 --> 00:00:49,080 of the ports on target machine are behind a firewall? 18 00:00:49,080 --> 00:00:51,150 We already mentioned this in the previous video 19 00:00:51,150 --> 00:00:54,840 and Nmap will tell us that those ports are filtered. 20 00:00:54,840 --> 00:00:57,245 By now we should already know what filtered port is 21 00:00:57,245 --> 00:01:00,210 but let us define it once again. 22 00:01:00,210 --> 00:01:03,390 Filtered port is when Nmap can't figure out 23 00:01:03,390 --> 00:01:05,910 whether a certain port is open or closed 24 00:01:05,910 --> 00:01:07,957 and that is due to dropping packets 25 00:01:07,957 --> 00:01:11,736 possibly because that port is behind a firewall. 26 00:01:11,736 --> 00:01:15,030 Therefore, we don't get any responses back 27 00:01:15,030 --> 00:01:19,470 from that port and Nmap flags it as filtered. 28 00:01:19,470 --> 00:01:22,140 Let me show you this on a Windows machine. 29 00:01:22,140 --> 00:01:26,220 Right here I have Windows seven virtual machine 30 00:01:26,220 --> 00:01:30,106 and this virtual machine, if I go to the control panel 31 00:01:30,106 --> 00:01:34,830 and then system and security and Windows Firewall 32 00:01:34,830 --> 00:01:38,070 this machine has firewall turned on. 33 00:01:38,070 --> 00:01:41,400 If we tried to scan it using SYN scan, which we covered 34 00:01:41,400 --> 00:01:43,530 in the previous section, so let's do it right here. 35 00:01:43,530 --> 00:01:46,410 Remember, it requires sudo privileges 36 00:01:46,410 --> 00:01:50,820 so pseudo nmap dash SS and then the IP address. 37 00:01:50,820 --> 00:01:51,780 I will use the IP address 38 00:01:51,780 --> 00:01:54,420 of my window seven virtual machine 39 00:01:54,420 --> 00:01:57,483 and if I press here enter type in the password, 40 00:01:59,040 --> 00:02:02,280 in just a few seconds, this scan will finish 41 00:02:02,280 --> 00:02:04,680 and we're going to compare this result when 42 00:02:04,680 --> 00:02:06,420 the firewall is turned on 43 00:02:06,420 --> 00:02:10,020 with the result once we turn off the firewall. 44 00:02:10,020 --> 00:02:11,583 So let's wait for this to end. 45 00:02:12,420 --> 00:02:14,070 And here it is. 46 00:02:14,070 --> 00:02:16,800 It doesn't have any port open. 47 00:02:16,800 --> 00:02:20,670 Matter of fact, it will tell me all 1000 scanned ports 48 00:02:20,670 --> 00:02:23,103 on this PC are filtered. 49 00:02:24,030 --> 00:02:25,590 Now this doesn't mean 50 00:02:25,590 --> 00:02:29,280 that all could be closed or all could be opened. 51 00:02:29,280 --> 00:02:31,740 This just means that they're behind the firewall 52 00:02:31,740 --> 00:02:36,060 and any packets we send get dropped by that firewall. 53 00:02:36,060 --> 00:02:40,020 So our target could have a few ports open and other closed 54 00:02:40,020 --> 00:02:42,240 but we don't really know that. 55 00:02:42,240 --> 00:02:44,550 Let me show you the response of the same scan, 56 00:02:44,550 --> 00:02:47,970 once we have that target turn off their firewall. 57 00:02:47,970 --> 00:02:49,890 So let's go to Windows machine 58 00:02:49,890 --> 00:02:53,643 and I will click on this turn Windows firewall on or off. 59 00:02:54,480 --> 00:02:57,030 And in both of these settings I will select 60 00:02:57,030 --> 00:02:59,580 turn off Windows Firewall firewall. 61 00:02:59,580 --> 00:03:03,930 Click on OK, and now once the firewall is turned off 62 00:03:03,930 --> 00:03:06,810 let us perform the same scan that we did right here. 63 00:03:06,810 --> 00:03:08,580 So we'll just use upper arrow 64 00:03:08,580 --> 00:03:13,260 run the same command, and here it is. 65 00:03:13,260 --> 00:03:16,830 We can see that some ports are indeed open. 66 00:03:16,830 --> 00:03:20,460 This firewall right here doesn't have any special rules 67 00:03:20,460 --> 00:03:23,310 since it is made to block all traffics. 68 00:03:23,310 --> 00:03:25,380 So techniques that I'm about to show you 69 00:03:25,380 --> 00:03:27,630 in these few videos will not work 70 00:03:27,630 --> 00:03:30,810 on regular machines that just turn on their firewall 71 00:03:30,810 --> 00:03:33,990 and that don't accept any type of connection. 72 00:03:33,990 --> 00:03:36,390 However, once firewall rules are applied 73 00:03:36,390 --> 00:03:39,000 and they usually are applied in some servers 74 00:03:39,000 --> 00:03:41,310 or machines that need remote access 75 00:03:41,310 --> 00:03:44,340 or that needs to communicate with other machines 76 00:03:44,340 --> 00:03:46,680 then we can test these options and see whether 77 00:03:46,680 --> 00:03:50,310 those rules have animal vulnerability that we can bypass. 78 00:03:50,310 --> 00:03:53,223 I will turn the firewall back on right here. 79 00:03:55,140 --> 00:03:59,253 I will close this and let's start with our first option. 80 00:04:00,120 --> 00:04:03,510 We're going to use an option dash F. 81 00:04:03,510 --> 00:04:05,350 So if I clear the screen 82 00:04:06,540 --> 00:04:10,290 and type the command sudo nmap dash F and then 83 00:04:10,290 --> 00:04:11,350 the IP address 84 00:04:12,210 --> 00:04:15,930 this dash F option causes the requested scan 85 00:04:15,930 --> 00:04:19,589 to use tiny fragmented IP packets. 86 00:04:19,589 --> 00:04:23,070 Now you might be wondering why would we do that? 87 00:04:23,070 --> 00:04:26,345 Well, the idea behind this is to split TCP header 88 00:04:26,345 --> 00:04:29,932 over several packets to make it harder for packet filters 89 00:04:29,932 --> 00:04:34,350 or intrusion detection systems to detect what you're doing. 90 00:04:34,350 --> 00:04:39,350 If we specify the option once just by adding one dash F 91 00:04:39,390 --> 00:04:44,070 the nmap will split the packets into eight bytes or less. 92 00:04:44,070 --> 00:04:47,765 So if your packet had up 24 bytes TCP header 93 00:04:47,765 --> 00:04:49,211 this would be split 94 00:04:49,211 --> 00:04:52,023 into three different packets of eight bytes. 95 00:04:53,070 --> 00:04:57,120 Now you can also specify the option twice with dash F 96 00:04:57,120 --> 00:04:59,910 and then once again dash F 97 00:04:59,910 --> 00:05:03,570 and this will split the packets into 16 bytes per fragment. 98 00:05:03,570 --> 00:05:07,140 But be careful once running this option on an actual target 99 00:05:07,140 --> 00:05:11,283 as some programs have trouble handling these tiny packets. 100 00:05:12,270 --> 00:05:14,940 If you want to increase fragment size even more 101 00:05:14,940 --> 00:05:16,450 you can use the option 102 00:05:18,030 --> 00:05:23,010 dash dash mtu and after it the fragment size, 103 00:05:23,010 --> 00:05:24,630 just remember that offset you 104 00:05:24,630 --> 00:05:27,393 specify must be on multiple of eight. 105 00:05:28,710 --> 00:05:33,270 This fragmentation won't always work if I run this scan. 106 00:05:33,270 --> 00:05:36,330 This option will not work most of the time actually. 107 00:05:36,330 --> 00:05:38,820 It only works if a network that you're scanning 108 00:05:38,820 --> 00:05:42,030 can afford the hit that this will cause, therefore 109 00:05:42,030 --> 00:05:44,250 they just leave it disabled. 110 00:05:44,250 --> 00:05:47,490 Some networks also cant enable this because fragments 111 00:05:47,490 --> 00:05:50,610 may take different routes into their networks. 112 00:05:50,610 --> 00:05:53,430 Nonetheless, it is good to mention this option 113 00:05:53,430 --> 00:05:56,010 as it might come in handy one day. 114 00:05:56,010 --> 00:05:58,710 Another option we can use, which is more focused 115 00:05:58,710 --> 00:06:02,640 on hiding your IP address than bypassing security 116 00:06:02,640 --> 00:06:07,350 and that option is creating decoys using dash D. 117 00:06:07,350 --> 00:06:10,210 So if I specify dash and then capital D 118 00:06:11,430 --> 00:06:13,920 creating this decoys can makes it appear 119 00:06:13,920 --> 00:06:16,140 to the target as it has been scanned 120 00:06:16,140 --> 00:06:20,610 not only by you but also by the decoys that you specify. 121 00:06:20,610 --> 00:06:23,730 So their intrusion detection system might report 122 00:06:23,730 --> 00:06:27,990 multiple IP addresses that scan them, including yours 123 00:06:27,990 --> 00:06:29,970 but they will not be able to determine 124 00:06:29,970 --> 00:06:32,910 which one is real so you successfully hid your 125 00:06:32,910 --> 00:06:35,010 IP address from them. 126 00:06:35,010 --> 00:06:37,338 There are two ways that we can do this, and just 127 00:06:37,338 --> 00:06:40,860 to show you how this works, what I'm going to do is 128 00:06:40,860 --> 00:06:43,800 I will open a software called WireShark 129 00:06:43,800 --> 00:06:45,063 on my Windows 10 machine. 130 00:06:48,600 --> 00:06:50,100 And with this software 131 00:06:50,100 --> 00:06:53,118 we will be able to see which IP addresses are communicating 132 00:06:53,118 --> 00:06:55,413 with my Windows 10 machine. 133 00:06:56,250 --> 00:06:58,290 Now you don't need to have WireShark for now 134 00:06:58,290 --> 00:07:00,750 just pay attention to the scans that we perform 135 00:07:00,750 --> 00:07:03,390 and results that we get in WireShark. 136 00:07:03,390 --> 00:07:06,150 Right here I will select ethernet since that is 137 00:07:06,150 --> 00:07:07,560 what I'm currently using 138 00:07:07,560 --> 00:07:10,500 and we should already see some packets coming in 139 00:07:10,500 --> 00:07:12,630 but these packets right here have nothing to do 140 00:07:12,630 --> 00:07:14,340 with our scan. 141 00:07:14,340 --> 00:07:18,240 So if I go back to my Kal Linux and I run the command 142 00:07:18,240 --> 00:07:22,860 sudo nmap dash D and to specify how many random IP 143 00:07:22,860 --> 00:07:25,680 addresses we want to use to scan the target 144 00:07:25,680 --> 00:07:28,503 we can specify dash D and then RND: 145 00:07:29,820 --> 00:07:32,790 and then the number of IP addresses we want to use. 146 00:07:32,790 --> 00:07:36,810 So in this case, I will use five random IP addresses. 147 00:07:36,810 --> 00:07:40,353 If I press enter right here and go to my WireShark. 148 00:07:41,550 --> 00:07:44,373 Hmm, it doesn't seem to be flooding anything. 149 00:07:45,510 --> 00:07:47,820 Are we successfully scanning? 150 00:07:47,820 --> 00:07:48,930 Oh, that's right. 151 00:07:48,930 --> 00:07:51,090 We are scanning Windows seven machine. 152 00:07:51,090 --> 00:07:51,923 My bad. 153 00:07:51,923 --> 00:07:54,510 So we need to be scanning our Windows 10 machine. 154 00:07:54,510 --> 00:07:56,130 So let me check the IP address 155 00:07:56,130 --> 00:08:01,130 on my Windows 10. IP config, 192.168.1.7 156 00:08:02,010 --> 00:08:06,572 and right here I will just change from 1.6 to 1.7. 157 00:08:06,572 --> 00:08:08,672 Now let's go back to WireShark once again. 158 00:08:09,810 --> 00:08:12,870 Hmm, it doesn't seem to show for some reason. 159 00:08:12,870 --> 00:08:16,260 Let us try adding this command 160 00:08:16,260 --> 00:08:18,963 and we will use the SYN scan to perform this. 161 00:08:19,830 --> 00:08:20,763 Press enter. 162 00:08:21,720 --> 00:08:24,060 And the reason this might not work is 163 00:08:24,060 --> 00:08:27,420 because sometimes WireShark will have a problem 164 00:08:27,420 --> 00:08:30,520 capturing the packets that we send from a virtual machine 165 00:08:31,380 --> 00:08:35,130 and that is mostly because we are scanning our host machine 166 00:08:35,130 --> 00:08:37,169 from the virtual machine. 167 00:08:37,169 --> 00:08:39,568 So what I'm going to do is I'm going to go 168 00:08:39,568 --> 00:08:42,243 to my laptop and run the same command. 169 00:08:43,140 --> 00:08:44,159 Give me just a second 170 00:08:44,159 --> 00:08:47,763 and running the same command that we ran right here. 171 00:08:49,140 --> 00:08:50,250 I just ran it. 172 00:08:50,250 --> 00:08:54,630 And if I go back here, here we can see now the output. 173 00:08:54,630 --> 00:08:57,990 We can see that our Windows 10 machine is getting flooded 174 00:08:57,990 --> 00:09:00,510 with random IP addresses. 175 00:09:00,510 --> 00:09:04,650 If I stop it, I can see different IP addresses right here. 176 00:09:04,650 --> 00:09:06,803 So we got 193.245.213.77. 177 00:09:10,560 --> 00:09:12,750 We also got the other IP addresses 178 00:09:12,750 --> 00:09:15,930 but I will also see my laptops IP address 179 00:09:15,930 --> 00:09:18,270 and it kind of sticks out. 180 00:09:18,270 --> 00:09:21,365 Since this RND option that we used creates 181 00:09:21,365 --> 00:09:23,670 random IP addresses. 182 00:09:23,670 --> 00:09:26,940 All of those random IP addresses will be truly random 183 00:09:26,940 --> 00:09:29,280 while the only IP address that will stick out 184 00:09:29,280 --> 00:09:33,600 will be this 192.168.1.10 185 00:09:33,600 --> 00:09:35,610 and that is a local IP. 186 00:09:35,610 --> 00:09:38,250 So this will most likely not work. 187 00:09:38,250 --> 00:09:40,623 They will recognize it as the true IP. 188 00:09:41,550 --> 00:09:43,050 So how can we change this 189 00:09:43,050 --> 00:09:44,970 and make it seem like the scan is coming 190 00:09:44,970 --> 00:09:49,830 from five local IP addresses that belong to my home network? 191 00:09:49,830 --> 00:09:52,620 Instead of running the command like this, 192 00:09:52,620 --> 00:09:56,043 what we can do is we can run the document like this, 193 00:09:56,043 --> 00:10:00,360 sudo nmap and then dash D, and after dash D 194 00:10:00,360 --> 00:10:04,590 we specify five different IP addresses, including ours. 195 00:10:04,590 --> 00:10:08,340 So we'll specify 192.168.1.2. 196 00:10:08,340 --> 00:10:13,340 Let's also use 192.168.1.5 for example. 197 00:10:13,770 --> 00:10:18,060 Let's use 192.168.1.6. 198 00:10:18,060 --> 00:10:21,663 Let's use 192.168.1.15. 199 00:10:22,800 --> 00:10:25,920 And let's at the end use my IP address 200 00:10:25,920 --> 00:10:28,110 and to specify the Kal Linux IP address, 201 00:10:28,110 --> 00:10:30,480 we can simply type, ME. 202 00:10:30,480 --> 00:10:33,240 What this command will do is it will use these random 203 00:10:33,240 --> 00:10:35,310 IP addresses to scan the target, 204 00:10:35,310 --> 00:10:37,950 including our true IP address. 205 00:10:37,950 --> 00:10:40,740 So all we need to specify is the IP address 206 00:10:40,740 --> 00:10:42,900 of my Windows 10 machine. 207 00:10:42,900 --> 00:10:47,370 And if I run this, go back to WireShark, yeah of course 208 00:10:47,370 --> 00:10:49,320 once again I must run this 209 00:10:49,320 --> 00:10:52,140 from the actual laptop in order for this to work. 210 00:10:52,140 --> 00:10:54,420 So what I'm going to do is I'm going to run the same command 211 00:10:54,420 --> 00:10:59,420 in just a second and I'm running it right now. 212 00:10:59,460 --> 00:11:02,850 If I go to my WireShark here we can see 213 00:11:02,850 --> 00:11:07,080 now it is getting flooded with local IP addresses. 214 00:11:07,080 --> 00:11:10,177 We can see 192.168.1.2. 215 00:11:10,177 --> 00:11:13,080 .1.5, .1.15, 216 00:11:13,080 --> 00:11:17,280 and .1.10 and they will never really realize 217 00:11:17,280 --> 00:11:21,000 that this one is the correct IP address 218 00:11:21,000 --> 00:11:23,550 since they're getting flooded with a lot of them. 219 00:11:23,550 --> 00:11:25,080 And you can change this number 220 00:11:25,080 --> 00:11:28,341 you can use more IP addresses if you want or less. 221 00:11:28,341 --> 00:11:30,690 But the point of this is that 222 00:11:30,690 --> 00:11:33,090 in case you're scanning a target that is 223 00:11:33,090 --> 00:11:36,990 inside the same network as you use local IP addresses 224 00:11:36,990 --> 00:11:39,090 and in case you're scanning the target that is 225 00:11:39,090 --> 00:11:42,270 outside your network, you can use this option right here 226 00:11:42,270 --> 00:11:45,120 which will generate random IP addresses 227 00:11:45,120 --> 00:11:48,180 and the security will have hard time figuring out 228 00:11:48,180 --> 00:11:50,310 which one is the correct one. 229 00:11:50,310 --> 00:11:52,546 Cool right? Now don't worry 230 00:11:52,546 --> 00:11:55,620 since this didn't work on my Windows 10 machine. 231 00:11:55,620 --> 00:11:57,120 The only reason it didn't work is 232 00:11:57,120 --> 00:12:00,840 because my Kal Linux machine uses the same network interface 233 00:12:00,840 --> 00:12:03,150 as my Windows 10 host machine. 234 00:12:03,150 --> 00:12:05,130 If you were to scan any other target 235 00:12:05,130 --> 00:12:08,673 except your host machine, this would work in every case. 236 00:12:09,510 --> 00:12:11,940 So for now, we looked at these two options 237 00:12:11,940 --> 00:12:14,670 and in the next video I will just quickly 238 00:12:14,670 --> 00:12:17,730 mention a few more options used to evade security 239 00:12:17,730 --> 00:12:20,160 and then we will proceed to vulnerability analysis 240 00:12:20,160 --> 00:12:21,300 which is the last step 241 00:12:21,300 --> 00:12:24,003 before we start gaining access to our target.