1
00:00:00,840 --> 00:00:07,920
Let us talk about different options we can use in our scans to bypass firewall firewall is something

2
00:00:07,920 --> 00:00:08,790
unpredictable.

3
00:00:09,300 --> 00:00:14,910
You don't really know its rules in order to know exactly what type of scan you need to perform in order

4
00:00:14,910 --> 00:00:15,760
to bypass it.

5
00:00:16,140 --> 00:00:21,840
Some of the firewalls could use Mac address filtering in order to allow certain devices to connect to

6
00:00:21,840 --> 00:00:25,530
a specific port or in order to block certain devices.

7
00:00:26,070 --> 00:00:28,740
Some firewalls could block different types of packets.

8
00:00:29,070 --> 00:00:32,460
Some firewalls could block only some ports and not all of them.

9
00:00:32,700 --> 00:00:36,990
And we can't really know what the exact rule is.

10
00:00:37,440 --> 00:00:42,960
What I'm going to do is I will give you a few different options as to what you can try in order to bypass

11
00:00:42,960 --> 00:00:43,470
firewall.

12
00:00:43,740 --> 00:00:48,540
First of all, how can we know if some of the ports and target machine are behind a firewall?

13
00:00:49,080 --> 00:00:55,080
We already mentioned this in the previous video and map will tell us that those ports are filtered by

14
00:00:55,080 --> 00:00:55,410
now.

15
00:00:55,410 --> 00:00:59,760
We should already know what filtered port is, but let us define it once again.

16
00:01:00,180 --> 00:01:06,960
Filtered port is when EMAP can't figure out whether a certain port is open or closed, and that is due

17
00:01:06,960 --> 00:01:11,220
to dropping packets, possibly because that port is behind the firewall.

18
00:01:12,230 --> 00:01:18,590
Therefore, we don't get any responses back from that port and and up it as filtered.

19
00:01:19,500 --> 00:01:26,940
Let me show you this on a Windows machine right here, I have Windows seven virtual machine and this

20
00:01:26,940 --> 00:01:35,100
virtual machine, if I go to the control panel and then system and security and Windows firewall, this

21
00:01:35,100 --> 00:01:37,440
machine has firewall turned on.

22
00:01:38,040 --> 00:01:42,260
If we tried to scan it using scan, which we covered in the previous section.

23
00:01:42,270 --> 00:01:43,330
So let's do it right here.

24
00:01:43,520 --> 00:01:46,170
Remember, it requires studio privileges.

25
00:01:46,420 --> 00:01:48,590
So certain aspects.

26
00:01:48,690 --> 00:01:53,610
And then the IP address, I believe, is the IP address of my Windows seven virtual machine.

27
00:01:54,330 --> 00:02:02,850
And if I press here, enter typing the password in just a few seconds, this can will finish and we're

28
00:02:02,850 --> 00:02:09,600
going to compare this result when the firewall is turned on with the result once we turn off the firewall.

29
00:02:10,020 --> 00:02:11,460
So let's wait for this to end.

30
00:02:12,340 --> 00:02:19,780
And here it is, it doesn't have any port open, matter of fact, it will tell me all one thousands

31
00:02:19,780 --> 00:02:22,990
can ports on this PC are filtered.

32
00:02:23,970 --> 00:02:30,300
Now, this doesn't mean that all could be closed or all could be opened, this just means that they

33
00:02:30,300 --> 00:02:35,130
are behind the firewall and any package we send get dropped by that firewall.

34
00:02:36,030 --> 00:02:41,160
So our target could have a few ports open and other closed, but we don't really know that.

35
00:02:42,180 --> 00:02:47,390
Let me show you the response of the same scan once we have that target turn off their firewall.

36
00:02:47,940 --> 00:02:53,520
So let's go to Windows Machine and I will click on this turn Windows firewall on or off.

37
00:02:54,420 --> 00:03:00,290
And in both of these things, I will select turn off Windows Firewall, click on OK.

38
00:03:01,340 --> 00:03:07,190
And now once the firewall is turned off, let us perform the same scan that we did right here, so we'll

39
00:03:07,190 --> 00:03:09,650
just use upper error from the same command.

40
00:03:10,940 --> 00:03:12,350
And here it is.

41
00:03:13,240 --> 00:03:21,040
We can see that some ports are indeed open this far wall right here doesn't have any special rules since

42
00:03:21,040 --> 00:03:23,030
it is made to block all traffic.

43
00:03:23,290 --> 00:03:29,050
So this news that I'm about to show you in these few videos will not work on the regular machines that

44
00:03:29,050 --> 00:03:33,440
just turn on their firewall and they don't accept any type of connection.

45
00:03:33,970 --> 00:03:39,940
However, once firewall rules are applied and they usually are applied in some servers or machines that

46
00:03:39,940 --> 00:03:45,940
need remote access or that need to communicate with other machines, then we can test these options

47
00:03:45,940 --> 00:03:49,770
and see whether those rules have any vulnerability that we can bypass.

48
00:03:50,260 --> 00:03:53,080
I will turn the firewall back on right here.

49
00:03:55,080 --> 00:03:59,130
I will close this and let's start with our first option.

50
00:04:00,120 --> 00:04:10,050
We're going to use an option F, so if I clear the screen and type the comments to the map F and then

51
00:04:10,320 --> 00:04:18,900
the IP address, this dash F option causes the requested scan to use pinay fragmented IP packets.

52
00:04:19,590 --> 00:04:22,350
Now, you might be wondering why would we do that?

53
00:04:23,070 --> 00:04:29,850
Well, the idea behind this is to split Tippi Hedren over several packets to make it harder for package

54
00:04:29,850 --> 00:04:33,860
filters or intrusion detection systems to detect what you're doing.

55
00:04:34,320 --> 00:04:42,150
If we specify the option once, just by adding one dash, if the map will split the packets into eight

56
00:04:42,150 --> 00:04:43,110
bytes or less.

57
00:04:44,080 --> 00:04:47,620
So if your packet had a twenty four bytes DCP header.

58
00:04:48,590 --> 00:04:51,890
This would be split into three different packets of eight bytes.

59
00:04:53,050 --> 00:05:00,730
Now, you can also specify the option twice with F and then once again that chef and this will split

60
00:05:00,730 --> 00:05:03,120
the packets into 16 bytes per fragment.

61
00:05:03,550 --> 00:05:10,300
But be careful once running this option on an actual target is some programs have trouble handling these

62
00:05:10,300 --> 00:05:11,140
tiny packets.

63
00:05:12,240 --> 00:05:19,800
If you want to increase fragment size even more, you can use the option dash, dash M2.

64
00:05:20,780 --> 00:05:27,290
And after it defragment size, just remember that offset you specify must be a multiple of eight.

65
00:05:28,740 --> 00:05:35,340
This fragmentation won't always work if I run, this can this option will not work most of the time,

66
00:05:35,340 --> 00:05:40,860
actually it only works if a network that you're scanning can afford the hip that this will cause.

67
00:05:41,370 --> 00:05:43,440
Therefore, they just leave it disabled.

68
00:05:44,250 --> 00:05:50,130
Some networks also can enable this because fragments may take different routes into their networks.

69
00:05:50,580 --> 00:05:55,560
Nonetheless, it is good to mention this option as it might come in handy one day.

70
00:05:55,960 --> 00:06:01,980
Another option we can use, which is more focused on hiding your IP address, then bypassing security.

71
00:06:02,580 --> 00:06:10,140
And that option is creating decoys, using Desh to see if a specified dash and then capitally.

72
00:06:11,400 --> 00:06:17,910
Creating these decoys can make it appear to the target as it has been scanned not only by you, but

73
00:06:17,910 --> 00:06:20,100
also by the decoys that you specify.

74
00:06:20,610 --> 00:06:27,330
So their intrusion detection system might report multiple IP addresses that scan them, including yours,

75
00:06:27,990 --> 00:06:31,080
but they will not be able to determine which one is real.

76
00:06:31,680 --> 00:06:34,230
So you successfully hit your IP address from them.

77
00:06:35,010 --> 00:06:36,590
There are two ways that we can do this.

78
00:06:37,050 --> 00:06:43,770
And just to show you how this works, what I'm going to do is I will open a software called Wireshark

79
00:06:43,770 --> 00:06:44,940
on my Windows and machine.

80
00:06:48,560 --> 00:06:54,740
And with this software, we will be able to see which IP addresses are communicating with my Windows

81
00:06:54,740 --> 00:06:55,280
10 machine.

82
00:06:56,210 --> 00:07:00,940
Now, you don't need to have Wireshark for now, just pay attention to the scans that we perform and

83
00:07:00,940 --> 00:07:06,830
the results that we get in Wireshark right here, I will select Ethernet, since that is what I'm currently

84
00:07:06,830 --> 00:07:09,980
using and we should already see some packets coming in.

85
00:07:10,460 --> 00:07:13,420
But these packets right here have nothing to do with our scan.

86
00:07:14,300 --> 00:07:22,880
So if we go back to my clinics and I run the command and map Dashty and to specify how many random IP

87
00:07:22,880 --> 00:07:30,290
addresses we want to use to scan the target, we can specify Dashty and then R and D two dots and then

88
00:07:30,290 --> 00:07:32,370
the number of IP addresses we want to use.

89
00:07:32,780 --> 00:07:40,190
So in this case, I will use five random IP addresses if I press event right here and go to my Warshak.

90
00:07:41,510 --> 00:07:44,260
Hmm, it doesn't seem to be flooding anything.

91
00:07:45,480 --> 00:07:47,040
Are we successfully scanning?

92
00:07:47,790 --> 00:07:54,000
Oh, that's right, we are scanning Windows seven machine, my bed, so we need to be scanning our Windows

93
00:07:54,020 --> 00:07:54,560
10 machines.

94
00:07:54,570 --> 00:08:01,620
So let me check the I.P. address of my Windows 10 IP config when I did that 168, that font at seven.

95
00:08:01,950 --> 00:08:05,790
And right here I will just change from one six to one seven.

96
00:08:06,300 --> 00:08:08,490
Now, let's go back to Wireshark once again.

97
00:08:09,740 --> 00:08:17,220
Hmm, it doesn't seem to show for some reason, let us try adding this comment and people to use the

98
00:08:17,220 --> 00:08:20,630
since can to perform this press enter.

99
00:08:21,640 --> 00:08:28,120
And the reason this might not work is because sometimes foreshock would have a problem capturing the

100
00:08:28,120 --> 00:08:30,470
packets that we send from a virtual machine.

101
00:08:31,330 --> 00:08:36,340
And that is mostly because we're scanning our host machine from the virtual machine.

102
00:08:37,150 --> 00:08:44,200
So what I'm going to do is I'm going to go to my laptop and run the same command gave me just a second

103
00:08:44,200 --> 00:08:47,620
and I'm running the same command that we ran right here.

104
00:08:49,090 --> 00:08:50,260
I just ran it.

105
00:08:50,260 --> 00:08:53,740
And if I go back here, here, we can see now the output.

106
00:08:54,610 --> 00:08:59,620
We can see that our Windows 10 machine is getting flooded with random IP addresses.

107
00:09:00,520 --> 00:09:03,990
If I stop it, I can see different IP addresses right here.

108
00:09:04,660 --> 00:09:10,210
So we got one ninety three to forty five at two hundred and thirteen point seventy seven.

109
00:09:10,550 --> 00:09:17,500
We also got the other IP addresses, but I will also see my laptop's IP address and it kind of sticks

110
00:09:17,500 --> 00:09:25,390
out since this R&amp;D option that we used creates phantom IP addresses, all of those random IP addresses

111
00:09:25,420 --> 00:09:31,180
will be truly random, while the only IP address that will stick out will be this one.

112
00:09:31,180 --> 00:09:35,100
I do that 168, that one to ten and that is a local IP.

113
00:09:35,620 --> 00:09:37,600
So this will most likely not work.

114
00:09:38,230 --> 00:09:40,510
They will recognize it as the IP.

115
00:09:41,510 --> 00:09:47,750
So how can we change this and make it seem like this is coming from five local IP addresses that belong

116
00:09:47,750 --> 00:09:55,400
to my home network, instead of running the command like this, what we can do is we can run the command

117
00:09:55,400 --> 00:09:58,660
like this pseudo map and then Dashty.

118
00:09:59,120 --> 00:10:05,330
And after 30, we specify five different IP addresses, including ours, several specif.

119
00:10:05,340 --> 00:10:07,640
I wanted to do that, one that wanted to.

120
00:10:08,300 --> 00:10:13,040
Let's also use 182 that 168 dot one, dot five, for example.

121
00:10:13,790 --> 00:10:17,090
Let's use one to do that 168 dot fondled six.

122
00:10:18,010 --> 00:10:21,550
Let's use one night to that fancy state, that one, that 15.

123
00:10:22,750 --> 00:10:29,680
And let's at the end use my IP address and to specify the IP address, we can simply type me.

124
00:10:30,460 --> 00:10:36,310
What this command will do is it will use these random IP addresses to scan the target, including our

125
00:10:36,760 --> 00:10:37,480
IP address.

126
00:10:37,960 --> 00:10:42,250
So all we need to specify is the IP address of my Windows machine.

127
00:10:42,850 --> 00:10:45,700
And if I run this, go back to Wireshark.

128
00:10:46,510 --> 00:10:47,350
Yeah, of course.

129
00:10:47,350 --> 00:10:52,120
Once again, I must run this from the actual laptop in order for this to work.

130
00:10:52,150 --> 00:10:58,300
So what I'm going to do is I'm going to run the same command in just a second and I'm running it right

131
00:10:58,300 --> 00:10:58,720
now.

132
00:10:59,410 --> 00:11:06,310
If I go to my Wireshark here, we can see now it is getting flooded with local IP addresses.

133
00:11:07,080 --> 00:11:09,610
We can see when I do that 168 at one to two.

134
00:11:09,970 --> 00:11:14,440
That one, that five dot one, that fifteen and dot one the ten.

135
00:11:14,980 --> 00:11:22,270
And they will never really realize that this one is the correct IP address since they are getting flooded

136
00:11:22,270 --> 00:11:23,110
with a lot of them.

137
00:11:23,500 --> 00:11:27,820
And you can change this number, you can use more IP addresses if you want or less.

138
00:11:28,690 --> 00:11:34,660
But the point of this is that in case you're scanning a target that is inside the same network as you

139
00:11:35,050 --> 00:11:40,300
use local IP addresses, and in case you're scanning the target, it is outside your network.

140
00:11:40,300 --> 00:11:46,600
You can use this option right here, which will generate phantom IP addresses and the security will

141
00:11:46,600 --> 00:11:53,710
have a hard time figuring out which one is the correct one call right now, don't worry, since this

142
00:11:53,710 --> 00:11:58,720
didn't work on my Windows 10 machine, the only reason it didn't work is because Michael Linux machine

143
00:11:58,720 --> 00:12:02,710
uses the same network interface as my Windows 10 host machine.

144
00:12:03,130 --> 00:12:08,560
If you were to scan any other target except your host machine, this would work in every case.

145
00:12:09,470 --> 00:12:15,350
So for now, we looked at these two options and in the next video, I will just quickly mention a few

146
00:12:15,350 --> 00:12:20,600
more options used to evade security and then we will proceed to vulnerability analysis, which is the

147
00:12:20,600 --> 00:12:23,930
last step before we start gaining access to our target.