Scriptfirewall-bypass

Script types:hostrule
Categories:vuln,intrusive
Download:https://svn.nmap.org/nmap/scripts/firewall-bypass.nse

Script Summary

Detects a vulnerability in netfilter and other firewalls that use helpers todynamically open ports for protocols such as ftp and sip.

The script works by spoofing a packet from the target server asking for openinga related connection to a target port which will be fulfilled by the firewallthrough the adequate protocol helper port. The attacking machine should be onthe same network segment as the firewall for this to work. The script supportsftp helper on both IPv4 and IPv6. Real path filter is used to prevent suchattacks.

Based on work done by Eric Leblond.

For more information, see:

• http://home.regit.org/2012/03/playing-with-network-layers-to-bypass-firewalls-filtering-policy/

Script Arguments

firewall-bypass.helper

The helper to use. Defaults toftp.Supported helpers: ftp (Both IPv4 and IPv6).

firewall-bypass.targetport

Port to test vulnerability on. Target port should be anon-open port. If not given, the script will try to find a filtered or closed port fromthe port scan results.

firewall-bypass.helperport

If not using the helper's default port.

Example Usage

nmap --script firewall-bypass <target>nmap --script firewall-bypass --script-args firewall-bypass.helper="ftp", firewall-bypass.targetport=22 <target>

Script Output

Host script results:| firewall-bypass:|_  Firewall vulnerable to bypass through ftp helper. (IPv4)

Requires

• nmap
• stdnse
• string
• packet

Author:

• Hani Benhabiles

License: Same as Nmap--Seehttps://nmap.org/book/man-legal.html