Evading Windows 7 Firewall rules with Basic Scanning using Nmap

Today, let us talk about Firewall rules and how we can evade them. However, i will be producing more advanced and complex tutorials for ninja scanning as well.OK, let us talk about a basic ninja scan which is required in the following scenario-

Target is a colleague in the neighborhood who is running on Windows 7, Runs a Version of an FTP server on port 21 and 990(secured) and lastly has blocked our IP address as well. Our task is to evade the protection mechanisms that are the Windows 7 firewall based rules.


To create a self test environment, you need-
–>Windows 7 up and running in VMware or on a different machine

  • A Firewall rule in “Inbound Connections” which Blocks our IP address
  • Any Linux configured with Nmap

OK! So let us first run a simple Nmap scan without any rule in the firewall and check what is the output:-
nmapscanwithoutfirewall.png

Providing the simple command nmap 192.168.193.128 shows the output in the above screenshot. Everything seems to be OK! we are able to make a connection with ease. let us now create a firewall rule to block the remote address 192.168.193.1(Attacker’s OS IP/Our IP)
Firewall+Rule.png

The first rule blocks our IP address which is 192.168.193.1 Let us now re-scan the target and see that if the firewall is blocking us now or not?

nmapscanwithfirewall.png


“All 1000 ports are filtered” firewall is working pretty well huh? 😛 let us also check what Wireshark denotes running this scan-

nmapnoacknowledgements.png

All SYN packets from the very first packet till the end of the scan…. so what this means? yeah you guessed it right no ACKs. Therefore, Nmap shows all ports filtered.

Let us now overcome this situation by using -S switch in Nmap which helps in spoofing the originating address as follows-

nmapscanwithfirewallrule.png

Let us analyze the above command, we used -sS to denote a Stealth Scan/Half open Scan. Next, we used -e to denote the interface name which in my case was vmnet8 because i used it in VMware Player(eth0 in case of machine being a different one). Next, -S to supply an address to spoof and 21,990 using -p switch to denote the port numbers. we can see that some error messages are generated but its alright, it works fine. let us cross check its functioning using Wireshark-

wiresharkblockage.png

Bingo! we were able to spoof the address with ease and we can also see the SYN-ACKs sent back from the target to the spoofed address which doesn’t exist actually 😛

This concludes our most basic ninja scanning tutorial to evade a firewall rule of Windows 7. Stay tuned for more tutorials. Additionally, Refer to my book Mastering Metasploit to learn how to scan a hidden network using a compromised host.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s