How to Bypass Firewall using NMAP

Bypassing Firewall Rules

While mapping out firewall rules can be valuable, bypassing rules is often the primary goal. Nmap implements many techniques for doing this, though most are only effective against poorly configured networks. Unfortunately, those are common. Individual techniques each have a low probability of success, so try as many different methods as possible. The attacker need only find one misconfiguration to succeed, while the network defenders must close every hole.

Detects a vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip.

The script works by spoofing a packet from the target server asking for opening a related connection to a target port which will be fulfilled by the firewall through the adequate protocol helper port. The attacking machine should be on the same network segment as the firewall for this to work. The script supports ftp helper on both IPv4 and IPv6. Real path filter is used to prevent such attacks.

Source Port Manipulation

One surprisingly common misconfiguration is to trust traffic based only on the source port number. It is easy to understand how this comes about. An administrator will set up a shiny new firewall, only to be flooded with complains from ungrateful users whose applications stopped working. In particular, DNS may be broken because the UDP DNS replies from external servers can no longer enter the network. FTP is another common example. In active FTP transfers, the remote server tries to establish a connection back to the client to transfer the requested file.

Secure solutions to these problems exist, often in the form of application-level proxies or protocol-parsing firewall modules. Unfortunately there are also easier, insecure solutions. Noting that DNS replies come from port 53 and active FTP from port 20, many administrators have fallen into the trap of simply allowing incoming traffic from those ports. They often assume that no attacker would notice and exploit such firewall holes. In other cases, administrators consider this a short-term stop-gap measure until they can implement a more secure solution. Then they forget the security upgrade.

Overworked network administrators are not the only ones to fall into this trap. Numerous products have shipped with these insecure rules. Even Microsoft has been guilty. The IPsec filters that shipped with Windows 2000 and Windows XP contain an implicit rule that allows all TCP or UDP traffic from port 88 (Kerberos). Apple fans shouldn't get too smug about this because the firewall which shipped with Mac OS X Tiger is just as bad. Jay Beale discovered that even if you enable the “Block UDP Traffic” box in the firewall GUI, packets from port 67 (DHCP) and 5,353 (Zeroconf) pass right through. Yet another pathetic example of this configuration is that Zone Alarm personal firewall (versions up to 2.1.25) allowed any incoming UDP packets with the source port 53 (DNS) or 67 (DHCP).

Nmap offers the -g and --source-port options (they are equivalent) to exploit these weaknesses. Simply provide a port number, and Nmap will send packets from that port where possible. Nmap must use different port numbers for certain OS detection tests to work properly. Most TCP scans, including SYN scan, support the option completely, as does UDP scan. In May 2004, JJ Gray posted example Nmap scans to Bugtraq that demonstrate exploitation of the Windows IPsec source port 88 bug against one of his clients. A normal scan, followed by a -g 88 scan.

Script Arguments


The helper to use. Defaults to ftp. Supported helpers: ftp (Both IPv4 and IPv6).


Port to test vulnerability on. Target port should be a non-open port. If not given, the script will try to find a filtered or closed port from the port scan results.


If not using the helper's default port.

Example Usage

nmap --script firewall-bypass <target>
nmap --script firewall-bypass --script-args firewall-bypass.helper="ftp", firewall-bypass.targetport=22 <target>

Script Output

Host script results:
| firewall-bypass:
|_  Firewall vulnerable to bypass through ftp helper. (IPv4)

Bypassing Windows IPsec filter using source port 88

IPv4 and IPv6 scans

For more depth analysis visit SOURCE : 1 2

An Ethical hacker should know the penalties of unauthorized hacking into a system. Read more at: Legality and Ethics

#security7yuhi #vulnurablehub #testservers #work #study #kalilinux #securityhardening #kalilinuxall #ethical #exploit #reverseshell #1kbkiller #bypassfirewall #firewall #nmap #Sans #cheatsheet #hackerslatam #hackstagram #hackers #hackingtutorials #hackerman #hacking #hacker #ethicalhacking #ciberseguridad #cibersecurity #infosecurity #infosec #deepweb #anonymous #security #darkweb #spycloud #cisco #pentesting #aws #kalilinux #elkstack #layer7apparel #minneapolis #atlanta #california #programming


For more tricks and update over hacking stay tuned to our site: Note 4 Tech


Recent Posts

See All