Firewall Penetration Testing – Part II

Firewall Penetration Testing – Part II

A firewall is a device that controls what get in and come out of our infrastructure network. The firewall is placed in between an organization network and the outside world. Testing for a firewall is basically an important part of penetration testing and in a security audit. Network scanning is the initial activity that should occur during the time of penetration testing. A firewall is a common perimeter device that is used to control the ingress and egress traffic. There are two types of firewall which are a stateful and stateless firewall. And in today’s world, modern firewalls by default have some strict rules set which is somewhat secure. And the vendors are very much security-aware than comparing that of the previous years. And still, various testing is required to check the ruleset placed in the firewall working and should detect the areas to improve.

Firewall rules are usually set to check the packets and then route them to the source/destination which is mentioned in the packet headers. In a TCP or UDP packet, we have four basic parts of information in the header in regards to routing, which is:

source port: source IP | destination port: destination IP


Nmap uses the raw IP packets which determines what hosts are available on the network and what all services (application name and version) are those hosts offering and what are the operating systems (and OS versions) they are running and what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap can be useful for some general firewall checks which help in finding some loopholes.

$ sudo nmap [target-IP]

This will run by default to perform a TCP scan in the specified target. Use the namp command -Pn if, the ICMP replies are blocked to skip the ICMP host discovery step in the nmap.

$ sudo nmap -sS [target-IP]

This will perform a TCP SYN scan, which helps for the firewall which is normally blocked by the port scanners. SYN scan sends the TCP SYN packets in a half-open connection, which takes fewer loads in the network and helps in connecting the network.

$ sudo nmap -sA [target-IP]

This will perform a TCP ACK scan, which helps to report the ports which is been filtered or unfiltered. This type of scan can evade IDS in most cases.

$ sudo nmap -sU [target-IP]

This will perform a UDP scan, which helps in inspecting the UDP ports of a firewall. Be aware of false positives with this scan as, we can send a packet but it is not determined whether the firewall is alive, dead, or filtered

$ sudo nmap -f [target-IP]

This scan will help in bypassing the firewall but nowadays, the modern firewall vendors block these scan request.

$ sudo nmap -pXX -g26 [target-IP]

This scan helps in spoofing the source port number. As already mentioned that, there we have source and destination port numbers in the headers. Spoofed IP is mentioned with –g and the destination port with –p