Bypassing Firewalls Restrictions
In this article there will be available some (basic) known methods to bypass firewalls.
Firewalls are software or hardware applications that controls the traffic that
passes from the internet to the local computer. a Hardware firewall generally is
built-in in a Router. The router is a phisical device that receives all internet
traffic (in the form of ‘packets’) and sends it to each computer in the LAN.
It also sends information from inside the LAN to the internet. Hardware firewalls
usually only filter or blocks the outbound traffic, that means, the traffic that
comes from the internet to a computer or computers inside the LAN.
Software firewalls will filter/block both inbound and outbound traffic. When
a connection from the outside of the local computer is trying to be established
a message will show up asking wether to allow it or not. The same happens if an
application or service is trying to access some service of the internet, a
message will be displayed asking wether you allow the application to access the
internet or not.
The methods will be discussed having a Windows OS environment in mind, but of course,
it is not restricted to Windows and they can be used in other OS as well.
Method 1: -IP Spoof-
In this method The IP address is changed to bypass firewall rules.
For example if inside a LAN a Hardware Firewall has rules set up to
block a specific IP address or range of IP addresses, if we change
the current IP address we can bypass this rule.
To change the IP address go to “Start” then “Run” and type CONTROL.EXE
The control panel will open. Now click on the item ‘Network Connections’.
Select the connection that is in use and right click on it. The properties
table will show up. Double click on the “TCP/IP Protocol” properties to
open a new window. Select the Option “Use the following IP Address”
in the field :
IP ADDRESS: here type an IP address that belongs to the IP range allowed
on your LAN. Usually LANs gives IPs starting with 192.168.x.y where x and y
are also numerical values inside a range established by the DHCP server of
the LAN. Supposing the DHCP setup IPs from 192.168.0.2 - 192.168.100.254
then you can put any IP address you want inside that range and that is NOT
being used by any other machine inside the LAN. Also notice this IP address
must not be inserted in the IP restrictions range. For example if the
Firewall rules was setup to deny access to the internet to IP addresses from
192.168.1.1 - 192.168.90.254 then you can change the IP address to something
like 192.168.91.1 for example, supposing this IP address is not in use by
other machine.
Subnet Mask: usually 255.255.255.0
Default Gateway: Here you type the IP address of the Router, sometimes
192.168.0.1 To see the IP of your gateway, go to “START” - “RUN” and type
%comspec% .The MS-DOS prompt will show up. Now type IPCONFIG -ALL .You will
not only see the current IP address of your machine but the default gatway
IP address, the DNS Server address, the MAC address of your Ethernet Adapter
etc etc as well. So copy the MAC address, the gateway, DNS Servers IPs
because this info will be important.
In the field os DNS Servers:
DNS Server of Preference: put the IP address of the DNS Server of your area.
You have it on the IPCONFIGURATION and you might have copied it as stated above.
For example 65.65.76.76
Alternative DNS Server: Here you put an IP address of an alternative DNS
server of your area. again you might have copied this info as well.
for example 65.65.76.80
Click on “APPLY” and close.
Now your IP address should change. Supposing you put an IP address that is not
in the Firewall´s IP Restriction Range, now you will be able to access all the
Services listed in the restriction. For example, if the Rule contains well-known
services like Telnet, FTP, Rlogin, WebServices and POP3, then now you will be
able to access these services remotely and use them.
For example if a machine inside your LAN supports telnet and receives login from
all computers except those in the firewall IP Rule, then now you will be able to
connect to that machine using telnet, or even to a computer outside your LAN, eg:
your home computer running a telnet server. You will also be able to browse the
internet normally.
METHOD2: -MAC Address Spoof-
Some Firewalls also configures MAC address rules and restricts some MAC addresses
from accessing the internet or any other services listed.
Each computer in the world has a unique MAC address (phisical address) this is
a 6 byte value. They appear like this xx-xx-xx-xx-xx-xx . It combines letters and
numbers. eg: 00-10-00-b5-03-f8 supposing this is your MAC address and the Firewall
was setup to restrict the computer with that MAC to access the internet, FTP and
Rlogin. This means the computer with this MAC will not be able to access the
internet and wont be able to connect to other machines using FTP or Rlogin.
If you change your MAC then you won´t be restricted anymore.
To change the MAC address of your Ethernet Adapter you can use Tools or manually
change it via Registry in Windows XP but it is a bit hard, so it is better using
the available tools in the Internet. A very nice program that snifs traffic, cracks
passwords, list shares, spoof IPs and MAC address is Cain & Abel available at
http://oxid.it . Another tool that changes the MAC is “MAC Make Up” and it is
available at http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp
Open up this tool and select the current used Ethernet Adapter. In the field
“MAC ADDRESS” type in your new MAC address the following way: xxxxxxxxxxxx
eg: 001000b503f9 and hit the button “CHANGE” to change it. To complete the operation
go to Control panel (”START” - “RUN” - type CONTROL.EXE”) and double click the
“SYSTEM” tab. Now click on “Device Manager”. (if under Windows XP you will first
have to click in “Hardware” then in “Device Manager”)
In the Device Manager tab select Ethernet Adapters, then select the adapter that
you have just changed the MAC address and disable and re-enable it.
Now your MAC should have changed and you are able to access those services that
were restricted before. Sometimes depending on the Firewall´s Restrictions you will
have to Change both IP and MAC address to bypass the rules.
METHOD3: -Reverse Connection-
If you use reverse connection you can also bypass Hardware Firewalls.
The reverse connection is nothing more than the target server connect to the client
instead of the client connect to the target server:
Client:20 <------- Target Server:30
Target Server:30 --------> Client:20
A bi-directional connection between 2 sides has been established.
Normally Hardware firewalls only filter/block the outbond traffic meaning that if a
computer outside a LAN tries to connect to a computer inside a LAN that is behind a
Router/Hardware Firewall it will run into errors like couldn´t connect to the remote
computer and so on. You must notice that this method will only work if the IP address
of the computer behind a router is not restricted to access the internet. If only
some ports were blocked in the firewall rule, then this method is better than IP spoof
since it doesn´t change anything just creates a ‘tunnel’. It is also good to use this
when a specific website or keyword to a service or website were used in the Firewall
restriction or when you don´t have access to the Firewall Configuration and eventually
want that someone outside the LAN access some service of the computer inside the LAN
There are tools that creates a tunnel between the target server and the client.
These are the TCP/UDP port redirector. A nice GUI (grphical user interface) tool is
“WinIPRelay”. get it at http://voodootechs.com and open it.
Click the button “ADD RELAY”
In the field “Local Port” type the port of the local computer you want to use in the
connection. Make sure it is not blocked or alredy being used.
In the field “Remote Host” type the IP address or if it is a website type the URL
In the field “Remote Port” type the port of the remote computer that will be connecting
to you. eg: if it´s a website then the port will usually be 80. if it is a service like
Telnet the port is 23. If the remote computer wants to access a service on your computer
(the one behind a LAN) then the remote port must be previously setup there, on the remote
computer and then you type it in this field.
In the field “Connection Timeout” type a numerical value to set the time in seconds that
the connection will keep established.
Click OK. Supposing the service you wanted to access is a website eg: www.msn.com and the
local port u chose is 40 then you just open up your internet browser and type: 127.0.0.1:40
and the msn.com webpage will be displayed. Notice that the port 40 must not be blocked.
Now suppose you want your friend to access your telnet server on port 23. If he tries direct
connection he won´t be able to connect, so he must open a port on his/her computer and start
to listen for connections. Suppose the chosen port was 55 and his ip address is 33.33.33.33
open “WinIPRelay” and set the local port to 23, Remote host to 33.33.33.33 , remote port
to 55 and Connection timeout to 999. if he open his command prompt and type:
telnet 127.0.0.1 55 he will reverse connect to your telnet server.
HTTP Tunnel –> bi-directional/reverse connection between 2 hosts using port 80 on the
computer behind the LAN and using only HTTP requests when establishing the connections.
METHOD4: -DLL Injection-
This method is used to bypass Software Firewalls. We know Software Firewalls filter not only
the outbound traffic but also the inbound traffic. If an application is contacted from a
remote computer the Software firewall will pop up a warning message asking whether you want
to allow it or not. Known applications like Windows Explorer, Generic Host Process for Win32
Services, Internet Explorer, NT´s System and Kernel, etc will probably be present in the
Firewall´s Permited applications since they are authentic application used by the system to
perform important operations, and also sometimes they must connect to the internet to update
something or complete a task or to access some website (Internet Explorer) etc.
Knowing a Firewall trusted application it is possible to create a DLL file
(application extension) that will inject code data to the trusted application and bypass the
firewall. If this were an ordinary application (EXE file) the firewall would pop up a warning
asking to allow or deny that application from receiving a connection from the internet, or to
connect to a remote service or computer (access the internet).
Using some programming language such as Visual Basic, Delphi, C++ , etc it is possible to
code a DLL file that will inject the necessary data to a trusted application and this way the
firewall will be bypassed. It can happens, depending on the protocol and/or port used in the
connection, that the firewall filters it and show the Warning message, but the application
that will appear is a known and trusted Firewall application, so you will still have great
chances to trick the User or the System Administrator.
Notice: Some firewalls detects this method warning that application X is trying to access the
internet via trusted application Y.
METHOD5: -Direct Code Injection-
This basically consists in injecting code directly into a legitim application without using DLLs
An external application would ‘patch’ the legitim application by adding custom code to it,
without corrupting the application. If successfull, when the legitim application is executed, the
custom code is also loaded. This leads to a change in the legitim application checksum.
Firewalls like Zone Alarm PRO will detect this method since it checks for applications checksums
changes.
METHOD6: -Firewall Disable-
This is probably one of the less suggested methods since Users and System Administrators will
get suspicious.
This basically consists in disabling/terminating the Firewall´s services and processes.
Some softwares registers its applications as services in Windows NT/2000/XP/2003 and adds
a value to the Windows Registry in the RunServices Section of Windows 95/98/ME. These services
usually are configured to automatically start at every Windows start. If we terminate the
Firewall´s running processes and stop their services, they will no longer work and therefore
will not filter any connections and the computer will be vulnerable. The processes are
normal applications that automatically run at Windows start and has a name with the EXE
extension (process.exe). The Services are special applications that has configured data such
as Name, start type, Error Control Security, etc. The name of the service has a image path
pointing to its aplication.
Nowadays some Firewalls has special applications that cannot be terminated or stoped and
some others when terminated or stopped they pop up a warning message. So this method is not
recommended and may be used only as a last alternative since it will cause suspition.
METHOD7: -”Trusted Website acting as Proxy”-
Suppose you have an well configured firewall that won´t allow your computer to access some sites.
It will probably use keywords such as ‘MSN’ ‘ICQ’ etc, so any URL that has ‘icq’ or ‘msn’ in the
link will be automatically blocked. You could try using the website´s IP address, but this method
is old and lots of firewalls have a kind of a ‘nslookup’ tool that will look and see if that IP
address is related to a blocked name/keyword, if it is a blocked keyword, access to the site will
be denied. Let´s suppose the firewall has setup a list of websites that you can access and luckily
google is allowed. You can use the google´s translation engine to access the blocked website. It
will act as a proxy (bridge) between your computer and the target website. All you have to do is
type the URL on the translation page and there you go. There might be other websites with similar
features, just search around, and if you are lucky enough access to some of those sites with the
similar feature will be allowed.
Method8: -”Legitim application spoof or replace”-
This method basically consists in creating an application with similar characteristics to a trusted
application or replace a legitim application with a specially crafted one.
On Mic*ft Windows systems you have some applications that you have to setup the firewall to allow
internet access such as the default webbrowser (Internet Explorer), automatic updates, services.exe
application, etc. You could deny internet access but then you might loose functionality.
Let´s target the default Webbrowser: Internet Explorer.
All we have to do here is fake a legitim application. You create an application that waits for
connections (server) and give the same name as the legitim one : ‘iexplore.exe’. We don´t stop here.
Let´s replace this application icon with the default Internet Explorer icon. Let´s also change the
properties like company name and file description to the same as Internet Explorer, which is
Mic*ft Corporation and description which is Internet Explorer. Now place it in a folder that won´t
make people suspect. don´t put in windows directory because this has alredy been widely used. put in
for example c:\program files or in c:\program files\Internet Expl0rer. Yes it is ‘0′ (zero) not ‘O’ tongue.gif
perhaps you could place it in the same directory as the legitim application but naming it iexpl0re.exe
Use your imagination wink.gif .
You can also replace the legitim application but you must be carefull, since there is lots of shortcuts
to Internet Explorer around the machine, and it all points
“%programfilesdirectory%\internet explorer\iexplore.exe”, so in this case you would also have to change
the shortcuts properties.
Note that firewalls like Zone Alarm PRO will detect files that has been modified/replaced and will
pop up a warning message telling that the application has changed. It is a very good feature, it
compares the current file checksum with the original one ( the file that have been given permition in
the past) and if it is different it will warn!
Method8: -”Application Checksum Spoof”-
This is a very theoretical method. don´t know if it will defeat firewalls like Zone Alarm Pro…
Some time ago an article about md5 colisions was posted on the internet. it consisted on a weakness in
the MD5 checksum that allows 2 applications have the same MD5 checksum. A demo program was posted
on the internet and it would make 2 applications have the same MD5 checksum. as I never tested it, I
cannot say anything, just theory.
So, if you are able to know the MD5 checksum of a legitim application and create another application and
have its checksum being the same as a legitim one, then replace the legitim one by yours, then
it would theoretically bypass firewalls that check for files checksum changes.
-Conclusion-
It was shown in this article some nice and known methods to bypass Hardware and Software
Firewalls Restrictions with some details. Sometimes one method alone may not work, but if
we join one or more methods together we may be able to bypass the firewalls
<< Home