bypass filtered networks

How to Bypass and Evade Filtered Networks

Reading Time: 5 minutes

To defend a system or network against an attack, you should be conscious of attack methodologies, their true capacities, and their potential impacts. One of the most effective ways of understanding network security from the penetration tester or system administrator’s view is overcoming it. There are several tools available in the market for bypassing filtered networks, including Nmap and Hping3.

If you want to bypass filtered networks, you need to understand networks, packet filtering, scanning tools, and be aware of its protection and limitations.

Scan Type to Help Bypass Filtered Networks

There are several scan types worth trying to bypass filtered networks, considering that the target host type and target firewall rules determine the approach that will work.

Nmap Network Scanning

Network Mapper or Nmap is a free and open-source utility implemented for security auditing, network discovery, exploration, and administration. Nmap has emerged as one of the most powerful scanners that offer several features that help map and grasp intricate networks.

It initially began as a Linux utility and was ported to other systems like BSD, macOS, and Windows. Nmap is the most popular on Linux. It includes host discovery, version detection, port scanning, OS detection, and scriptable interaction with the target.

This tool supports numerous scan types such as UDP scan, ACK Scan, Connect Scan (by default), TCP scan, among others, and has a substantial amount of accessible scripts that can be applied during a vulnerability assessment process and scan executions.


This is a network tool that can be used to send custom TCP/IP packets and show target replies in much the same way as the ping program does with ICMP replies. Hping3 isn’t just capable of sending ICMP echo requests; it also supports UDP, TCP, RAW-IP, and ICMP protocol.

It can also handle TCP/IP stacks auditing, arbitrary packets body, and size, and can be applied to transfer files captured under supported protocols. Additionally, you can also use hping for advanced port scanning, firewall testing, manual path MTU discovery, remote uptime guessing, Remote OS fingerprinting, as well as network testing, using different protocols, fragmentation, and TOS.

Firewall Restrictions

A firewall is a critical element in securing your network. It is intended to tackle the challenge of data authentication and integrity through stateful packet inspection and guarantee the confidentiality of your internal network through NAT. There are three types of firewalls designed to control traffic flows, including packet inspection, packet filtering, and application.

Your network enjoys the above benefits from a firewall when it receives all transmitted traffic via the firewall. Although the benefits of including a firewall into your security strategy are obvious, there are certain limitations you’ll encounter.

  • Having a firewall doesn’t guarantee that you won’t make poor decisions.
  • A firewall cannot stop users or malicious actors with modems from dialing in and out of the internal network, therefore bypassing the firewall and its security entirely.
  • Having a firewall doesn’t mean you won’t be attacked if your security policy is too lax.
  • Firewalls cannot prohibit internal users from accessing websites with malicious code, making security awareness training critical for all users.
  • Firewalls cannot prevent misuse of passwords; neither can it impose your password policy for you. However, your password policy is important in this aspect since it defines appropriate conduct and establishes non-compliance consequences.
  • Likewise, firewalls are useless against non-technical security risks like social engineering attacks.

Bypassing Firewall Rules

Bypassing rules is often the major objective, even though mapping out firewall rules can be quite useful. A bypass rule describes a unique type of firewall rule created for media-focused protocols for which filtering may be unwanted.

You can generate this rule by choosing ‘Bypass’ as the action when crafting a new firewall rule. You should understand that the ‘Bypass action’ is different from the ‘Force Allow’ rule. Nmap applies various methods to achieve this, although they are largely useful against badly configured networks. Sadly, these instances are rather widespread.

Exotic Scan Flags

Nmap provides several scan techniques that are useful for bypassing firewalls and, at the same time, offering the required port state information. One such technique is the FIN scan. This is when an attacker sends a packet with only the FIN flag enabled. When this occurs, it usually means that the attacker is requesting the connection to be stopped; however, there was no recognized connection to terminate.

Other scan types you can try include, Window, Maimon, NULL, and SYN/FIN scans.

Source Port Manipulation

Amazingly, a general misconfiguration is to rely on traffic based solely on the source port number. However, there are more secure solutions to these types of issues, usually in protocol-parsing firewall modules or application-level proxies.

Nmap presents the -g and –source-port selections to manipulate these vulnerabilities. It is as simple as providing a port number, and from where possible, Nmap will send packets from that port. However, Nmap must implement diverse port numbers for some OS detection tests to function adequately.

Sadly, there are also simpler and more insecure solutions for this. Given that most DNS replies are derived from active FTP from port 20 and from port 53, several sysadmins have fallen victim just by permitting incoming traffic from those ports.

IPv6 Attacks

Although IPv6 is yet to be a global landmark excluding Japan and other regions where it is quite popular, it allows organizations to make a comparatively effortless transition. Filtering IPv6 can occasionally be more important than IPv4 due to the expanded address space, which usually permits the distribution of generally addressable IPv6 addresses to hosts that would otherwise have had to implement the private IPv4 addresses stipulated by RFC 1918.

Modern OS prefers IPv6 over legacy IPv4 and usually utilizes a rogue IPv6 connection by default, particularly if one is accessible. Executing an IPv6 scan instead of the default IPv4 scan is sometimes as simple as including -6 to the command line.

Nevertheless, whenever either the IPv4 or IPv6 is established for auto-configuration and there’re no configuration servers on the network, it is possible to introduce other attacks by initiating rogue servers to answer configuration requests.

Multiple Ping Probes

Another challenge with scanning through a firewalled network is that dropped ping probes can cause missed hosts. One solution to this issue is to use Nmap. Nmap permits an extremely large array of probes to be sent in parallel. All being well, no less than one should get through.

Evading Firewalls and Scripting

IDS (intrusion detection systems) and firewalls typically play a significant function in effectively defending the remote target from a security perspective since this software and hardware can block intrusions. However, where penetration testing is involved, you need to bypass these tools to obtain the appropriate outcomes; you’ll only be deceived. Both Nmap and hping3 are good network scanning tools on the remote target system.

Exploit Filtered Ports

You can apply hping3 frameworks to specify the firewall’s open ports; that way, you can utilize those ports for additional exploitation. You can use the command hping3 -S IP -c 100 -p ++1 to scan all the ports.  

Where -S represents SYN Packets, -c represents Packet count, and -p indicates the destination port with an augmented loop.

Why Does Your Organization Need a Penetration Tester?

Your organization needs a penetration tester to assess the present status of your organization’s current security measures and controls. During a pen-test, the IT security analyst or pen testers expect and replicate cyber-attackers’ actions before attempting to locate any network or vulnerabilities. You also need penetration testing to:

  • Safeguard your organization’s reputation and customer trust
  • Expose vulnerabilities before cyber-attackers can exploit them
  • Allow regulatory compliance
  • Minimize network downtime
  • Implement an extremely effective security control and measure

EC-Council Certified Penetration Testing Professional (CPENT) Program

The EC-Council’s Certified Penetration Tester (CPENT) program gives you the hands-on training you need to know how to execute an efficient penetration test in an enterprise network environment that must be evaded, attacked, defended, and exploited. Likewise, the CPENT Challenge Edition is an affordable learning resource that offers a refresher in subjects such as IoT, binary analysis, SCADA, and ICS.

Furthermore, by taking the CPENT program, you’ll learn how to double-pivot to access hidden networks, Pen Test IoT systems, and OT systems, how to bypass filtered networks and customize scripts or exploits to get into the deepest parts of the network. To get details on plans and pricing, enroll now!

get certified from ec-council
Write for Us