Bypassing the firewall

[qod]

i belive all pings use the ICMP_ECHO packets to detect if a system is up.



btw. it is QoD and not GOD

[spurious_inode]

And all this time I thought I was talking firewalls and hacking with the `Almighty One'.....

Sorry QoD, you must have been wondering why this doomaas spurious person can't get your name right.

[unixjim]

Guys, does it really matter about the age?

I was working with the SysAdmin and the Tech while i was at school, when i was 14. I worked with them throughout most of my school life on a network of 400+ computers, and since i worked with them so long, they gave me root.

And working with education, there are many firewalls and proxies, as most work know, and sometimes you have to try and bypass them to get stuff working like :- DisEd, Remote Edu Access etc.

So obviously you dont have to be working to know about this stuff, just look at me. Newho, reactions might suggest 'leapinglangoor' first post is right, however have a think and spare a though and look at all the possibilities before questioning people.

Thanks for reading and hopeful all AO'ers take this thought into consideration,

[krang]

Search term "firewalk"

Nota Bene : I am contributing to this thread because it's important to understand the oppositions methods in order to secure or protect your network.

Krang

[VictorKaum]

Yep, don't even need the search... jump to http://www.packetfactory.net/firewalk/

[sn0rf]

Originally posted here by qod
i am not trying to hack anything, i am just asking is it possible??

It depends on the type of firewall, configuration, intruder's skills etc.
For example, it's possible to enumerate host behind a simple (non-stateful) firewall with ACK tcp packets using tools like hping2.
Some times it happens to find a hole through the firewall, because of a wrong configuration etc.

But the most common way I think is to compromise a host in the DMZ (ex. a web server) and then you've got the internal net at your disposal

[Beryllium9]

Oops, you're right, I made a mistake. Was thinking about the traceroute utility using UDP by default. Still, traceroute is similar to ping in that it waits for unreachable messages, just a little smarter in that the packets sent start with a TTL of 1, then the TTL is incremented until it reaches the destination IP.

What I should've said was nmap defaults to TCP pings for non-root users, and if the host is firewalled, these packets will be discarded. It seems the host does allow ICMP traffic through though if it shows up using the ping command. There are some rootkits that use ICMP to pass commands, or cause the compromised machine to connect back to the attackers machine, thereby bypassing the firewall. This only works if the outbound firewall rules are weak enough though....

[qod]

Originally posted here by Beryllium9
Oops, you're right, I made a mistake. Was thinking about the traceroute utility using UDP by default. Still, traceroute is similar to ping in that it waits for unreachable messages, just a little smarter in that the packets sent start with a TTL of 1, then the TTL is incremented until it reaches the destination IP.

traceroute uses ICMP_ECHO packets by default which uses UDP. But traceroute are no UDP packets but ICMP packets.


btw i am glad how this thread turned out, people were bashing it and now every one is helping.

[Beryllium9]

Nope, traceroute under linux uses UDP by default. To make it use ICMP echo requests instead, you have to use the -I option on the command line. From the man pages:-

-I Use ICMP ECHO instead of UDP datagrams.

[qod]

i never knew that, thanks Beryllium9