VIDEO
HIGHLIGHT
Log InSign up
Try Hack Me: Firewalls
SummaryTranscriptChat

Try Hack Me: Firewalls

Introduction to Firewalls

Overview of the Importance of Firewalls

  • The speaker emphasizes that while firewalls may not attract a lot of views, they are crucial for understanding network security.
  • This lesson is part of the Red Team path, focusing on essential concepts related to firewalls.

Understanding IP Headers

  • An IP header contains critical information such as data, options, padding, destination address, source address, and protocol.
  • Firewalls monitor network traffic by comparing it against predefined rules to determine whether to allow or block traffic.

Key Components of Firewall Functionality

Protocols and Ports

  • The TCP header includes source and destination ports; common protocols include TCP, UDP, and ICMP.
  • TCP is connection-oriented while UDP is connectionless; firewalls should check at least the TCP/UDP headers for source and destination ports.

Warm-Up Questions on Port Blocking

  • To block Telnet traffic, one would deny TCP port 23; HTTPS operates over port 443.
  • Other relevant ports include 8080 for HTTP and 5161 for SNMP over SSH.

Types of Firewalls: Hardware vs. Software

Distinctions Between Hardware and Software Firewalls

  • Hardware firewalls are physical devices designed specifically for firewall functions with their own operating systems.
  • Software firewalls can be installed on existing hardware (e.g., Windows Defender), allowing the OS to function independently if disabled.

Personal vs. Commercial Firewalls

  • Personal firewalls are used in smaller networks while commercial ones cater to medium to large networks with higher costs and administrative overhead.

Firewall Inspection Capabilities

OSI Model Relevance

  • Firewalls primarily focus on layers three (Network layer) and four (Transport layer); some also touch upon layer two.
  • Understanding these layers helps in identifying how different types of firewalls operate based on their inspection capabilities.

Types of Firewalls Based on Functionality

Understanding Firewall Types and Their Functions

Packet Filtering Firewalls

  • Packet filtering firewalls allow traffic on Port 443, providing a basic level of security through stateless inspection.
  • Circuit-level gateways enhance packet filtering by checking TCP handshakes against firewall rules, adding an extra layer of security.

Stateful Firewalls

  • Stateful firewalls track established TCP connections, offering better protection by monitoring the state of active sessions.
  • They can block any TCP packets that do not belong to an established connection, preventing unauthorized access.

Proxy Firewalls

  • Proxy firewalls act as intermediaries; they connect to servers on behalf of clients and inspect requests thoroughly.
  • These firewalls analyze packet payloads rather than just headers, allowing for deeper inspection of data being transmitted.

Next-Generation Firewalls (NGFW)

  • NGFWs provide advanced protection by monitoring all network layers and can dissect packets for detailed analysis.
  • The term "next-gen" is often used in marketing; it's essential to evaluate what specific features differentiate these firewalls from traditional ones.

Evasion Techniques and Scanning

  • Evasion techniques involve manipulating source MAC addresses, IP addresses, and ports to bypass firewall protections.
  • Tools like nmap are used for stealth scanning; options like PN skip pinging hosts to expedite port discovery processes.

Analyzing Network Traffic

  • Wireshark can be utilized to analyze packet details such as source/destination ports and packet length during scans.
  • Hackers may exploit predictable patterns in packet sizes (e.g., nmap's default length of 44 bytes), prompting defenders to implement blocking strategies based on this information.

Challenges in Defense Strategies

  • Newer firewalls can block repeated attempts at sending packets with specific lengths but must balance strictness with functionality to avoid disrupting legitimate traffic.

Understanding Nmap Scanning Techniques

Packet Estimation in Scans

  • The speaker discusses the estimation of packets sent during an Nmap scan, indicating that for a fast scan, approximately 200 packets are expected when scanning multiple ports.

Utilizing Decoy IPs

  • The use of decoy IP addresses is introduced as a strategy during penetration tests to obscure the attacker's real IP. This involves sending packets from both decoys and the actual attacker’s IP.
  • It is advised to choose decoy IPs that are similar to the attacker's actual IP to avoid easy identification by defenders.
  • The speaker emphasizes that using dissimilar decoy IP addresses can make it easier for defenders to identify which ones are fake, thus suggesting a more strategic selection.

Enhancing Stealth with Randomization

  • When employing multiple decoys, it's recommended to increase their number beyond two; however, this will slow down the scan due to increased packet transmission.
  • A randomization option (Tac R D) allows for stealthier scans by placing the attacker's real IP address randomly among other decoys, making detection harder.

Proxy Usage in Scanning

  • Using a proxy server during scans is recommended as it helps mask the attacker's true source IP. If blocked, changing proxies can be done easily without affecting operations significantly.
  • The process of setting up a proxy in Nmap is straightforward: specify the proxy URL after running Nmap commands.

Spoofing Techniques

  • Spoofing MAC addresses requires caution; if not on the same network as the spoofed address, replies will not reach the attacker.
  • The importance of being on-site or having control over spoofed addresses is highlighted; otherwise, responses may go unanswered.
  • An analogy about mailing illustrates how incorrect return addresses lead to lost communications—this applies similarly when spoofing MAC and IP addresses without proper network access.

Fixed Source Port Configuration

Understanding Nmap Scanning Techniques

Source Port Manipulation

  • The importance of specifying a source port in network scans is highlighted, particularly when firewalls block traffic except for certain ports like 443. This allows the scan to appear as legitimate web traffic.

UDP Scanning with Nmap

  • When using Nmap to discover open UDP ports, adding -g53 sets the source port number to 53, mimicking DNS traffic which can help bypass firewall restrictions.

Fragmentation Techniques

  • Fragmenting packets into smaller sizes (e.g., 8 bytes) can help evade detection by firewalls that block specific packet lengths. This technique involves sending multiple packets to achieve the same result.
  • By fragmenting packets, if a firewall blocks a specific packet type, it may not recognize fragmented packets as part of the same communication stream.

Maximum Transmission Unit (MTU)

  • The maximum transmission unit (MTU) defines the largest packet size that can be sent over a network link. For Ethernet, this is typically 1500 bytes. Understanding MTU is crucial for effective packet fragmentation strategies.
  • When setting MTU values in Nmap scans, it's essential to remember that the IP header size (20 bytes) is not included in the MTU value specified.

Packet Length and Data Padding

  • Generating packets with specific lengths allows users to match expected data sizes for protocols like DNS. This includes padding with random data to disguise true intentions during scanning activities.
  • The total length of an IP packet can be calculated by adding the data length and header size; for example, a data length of 128 results in an overall packet size of 148 bytes due to the added header.

Time To Live (TTL)

  • TTL settings are discussed as a method for detecting active hosts on a network. Adjusting TTL values can help mask scanning activities from monitoring systems.
  • Changing TTL values during scans can reduce suspicion from firewalls or intrusion detection systems by making scan patterns less recognizable.

Understanding Network Scanning Techniques

Direct Connection and Time to Live Settings

  • The discussion begins with the concept of connecting directly to a target without hops, as the attack box is already in position. Setting the Time to Live (TTL) value to two is emphasized for VPN connections.
  • The importance of IP options within the IP header is introduced, allowing control over specific bytes in the IP options field.

Utilizing IP Options for Routing

  • Various commands are outlined for manipulating routing:
  • T for record route,
  • U for record timestamp,
  • L for loose source routing followed by a list of IP addresses.
  • Strict source routing is discussed as a method to navigate around network obstacles that may trigger alerts.

Testing Bad Checksums

  • The impact of using bad checksums on packet transmission is explored; some systems drop packets while others do not, which can be leveraged to gather information about network configurations.
  • If a system allows bad checksums, it indicates potential vulnerabilities in packet validation processes.

Port Hopping Techniques

  • Port hopping is defined as an evasion technique where applications switch between non-standard ports to maintain connections and avoid detection by firewalls.
  • An example illustrates how an application attempts various ports until it finds one that isn't blocked, demonstrating practical application in real-world scenarios.

Advanced Evasion Strategies

  • Another form of port hopping involves establishing a connection on one port and then switching to another during data transmission, complicating tracking efforts by security teams.
  • Tools like Netcat are mentioned for listening on specified ports (e.g., 1025), highlighting their utility in testing connectivity with target machines.

Connectivity Testing and Troubleshooting

  • A scenario unfolds where connection attempts are made using different IP addresses and ports. Initial failures lead to troubleshooting steps involving checking if services are up or down.

Port Tunneling and Firewall Bypassing Techniques

Introduction to Port Hopping

  • The discussion begins with an example of port hopping, where different open ports are tested to see if they can bypass a firewall. Only port 21 is successful in this instance.

Understanding Port Tunneling

  • Port tunneling is introduced as a more complex method that allows data to be sent through an open port (e.g., 443) to access another service on a different port (e.g., 25).

Practical Application of Port Forwarding

  • The speaker explains how port forwarding works, likening it to home router configurations where incoming packets are redirected to specific ports on a machine.

Setting Up Netcat for Listening

  • A demonstration using ncat shows how to listen on an open port (8008) while forwarding requests intended for a blocked port (80), effectively bypassing the firewall.

Successful Data Retrieval

  • After setting up the listener, the command successfully retrieves data from the target server, illustrating how accessing information through non-blocked ports can yield results even when direct access is denied.

Evasion Techniques Using Non-Standard Ports

Importance of Non-Standard Ports

  • The significance of using non-standard ports is emphasized; typically, users cannot access certain flags or data directly due to firewalls blocking standard ports like 80.

Creating Backdoors via Specified Ports

  • A backdoor setup is discussed, utilizing netcat on destination port 8081 which remains unblocked by firewalls. This allows interaction with the target machine's shell.

Establishing Reverse Shell Connections

  • Instructions are provided for submitting commands that establish a reverse shell connection. This enables remote control over the target system while bypassing standard security measures.

Next-Gen Firewalls: Features and Capabilities

Real-Time Intrusion Protection

  • Next-gen firewalls integrate real-time intrusion protection capabilities that allow them not only to alert but also block threats immediately upon detection.

Decrypting Encrypted Traffic

  • These advanced firewalls have the ability to decrypt SSL/TLS and SSH traffic, which poses challenges for unauthorized data exfiltration attempts. Proper certificate management is crucial for this functionality.

OSI Model Processing Limitations

Understanding Firewalls and Networking

Importance of Networking Knowledge in Security

  • The speaker emphasizes the significance of understanding networking for those pursuing a career in security, noting that many individuals skip this foundational knowledge.
  • A lack of networking skills can hinder progress in the security field, suggesting that mastering these concepts is crucial for advancement.
  • The discussion highlights how firewalls serve as an essential tool for learning about network security, making them a valuable resource for beginners.
  • The speaker encourages learners to engage with networking topics to bridge gaps in their knowledge and enhance their skill set.
Playlists: TryHackMe RedTeam Path
Video description

This is the continuation of our Red Team Path. This is an entry level and great way to start learning red teaming! This is a box all about how firewalls work and how to avoid them when pentesting This is all for educational and ethical purposes only. If you want to see exclusive content and have the opportunity to game and chat with me about anything check out the patreon! Patreon to help support the channel! Thank you so much! https://patreon.com/stuffy24 Hacker Discord https://discord.gg/KzzGfnKjCS