How to Bypass Internal Firewalls and Achieve Lateral Privilege Movement

1. Internal Firewall Logic

1.1 Deployment Types

Boundary firewall : placed between Internet and the internal network; controls inbound/outbound traffic; typically opens business ports such as 80/443 and blocks high‑risk ports (e.g., 22, 445, 135).

Segmentation firewall : deployed between VLANs; isolates network segments and enforces IP/MAC‑based access control.

Host firewall : runs on each host (Windows Defender, iptables, third‑party agents); protects the single machine from other internal hosts.

1.2 Protection Principle

Rule matching : traffic is matched against the most specific allow/deny rule; default policy is usually deny.

Traffic detection : basic detection (IP/port/protocol) and deep detection (payload, process association).

Rule bugs : most bypass opportunities stem from mis‑configured rules (over‑open ports, redundant or conflicting rules) rather than firewall code flaws.

2. Bypass Techniques

2.1 Boundary Firewall

Use legitimate ports : encapsulate malicious traffic inside allowed HTTP/HTTPS traffic. Example – after obtaining a low‑privilege foothold on a workstation, deploy an HTTP tunnel tool such as reGeorg or EarthWorm and forward internal traffic through port 80 to an external server.

Exploit rule‑configuration flaws :

Over‑open high‑risk ports (e.g., 445, 135) without source‑IP restrictions.

Priority confusion where a low‑priority allow rule overrides a high‑priority deny rule.

Missing source‑IP constraints on allowed ports (e.g., unrestricted RDP 3389).

Improper UPnP exposure that maps internal services to the Internet.

Before exploiting, collect firewall configuration files or perform stealthy port scans to confirm the exact rule set.

Leverage legitimate service proxies : obtain valid credentials (phishing) for an allowed outbound service such as VPN, proxy or mail server and use it as a proxy to reach the internal network.

Tunneling techniques (used when other methods fail):

DNS tunnel – encapsulate data in DNS queries (e.g., dnscat2) using port 53.

ICMP tunnel – embed traffic in ping packets when ICMP is allowed.

SSL tunnel – wrap traffic in TLS over port 443; encrypted payload bypasses DPI.

Keep traffic volume low to avoid anomaly detection.

2.2 Segmentation Firewall

Jump‑host pivot : identify a host authorized to communicate across VLANs (e.g., a management workstation 192.168.1.100). After compromising a workstation in the office segment (192.168.1.10), steal the administrator NTLM hash via an obfuscated mimikatz run, then perform a Pass‑the‑Hash attack to obtain admin rights on the jump‑host. Deploy a port‑forwarding tool such as frp on the jump‑host to forward ports 445 and 1433 to local high ports (e.g., 8888/9999), thereby reaching the application and core database segments.

Trust relationships : some VLANs are configured to trust each other (e.g., office ↔ app). When such trust exists, the segmentation firewall permits unrestricted traffic between the trusted segments, allowing direct access without additional bypass steps.

Modify segmentation rules : if the tester has authorized admin access to the segmentation firewall, edit rules to open required ports or IP ranges. Any changes must be logged, temporary, and restored after testing.

2.3 Host Firewall

Disable the host firewall (requires admin rights):

netsh advfirewall set allprofiles state off

service iptables stop

systemctl stop firewalld

Modify host rules to allow specific ports:

netsh advfirewall firewall add rule name="RDPAllow" dir=in action=allow protocol=TCP localport=3389 remoteip=192.168.2.0/24

iptables -A INPUT -p tcp --dport 445 -s 192.168.2.0/24 -j ACCEPT

Bypass via legitimate processes : modern host firewalls bind rules to processes. Inject malicious code into a trusted process (e.g., svchost.exe) or use built‑in tools (PowerShell, cmd) that are whitelisted, allowing the process to open listening ports or initiate outbound connections without triggering alerts.

Exploit rule bugs such as allow‑all outbound rules, conflicting rules that permit loopback traffic, or missing inbound restrictions.

3. Lateral Movement After Bypass

3.1 Preparation

Network mapping : use ipconfig, route print, arp -a and stealthy scanners (nmap, masscan) to enumerate subnets and live hosts.

High‑value target identification : fingerprint services (e.g., DNS on port 53, domain controller on 389, database on 1433) to locate critical assets.

Credential harvesting : run tools such as mimikatz ( sekurlsa::logonpasswords) or LaZagne to extract local admin passwords, NTLM hashes, Kerberos tickets, browser caches and configuration files.

3.2 Build Movement Channels

Jump‑host channel : forward target ports via frp or similar tools on a compromised pivot.

Tunnel channel : when segmentation blocks direct traffic, deploy DNS/SSL/ICMP tunnels on the pivot.

Legitimate service channel : reuse VPN, RDP, SSH or WMI sessions with stolen credentials for stealthy movement.

3.3 Evade Internal Monitoring

Clean system and security logs after each operation.

Prefer native tools (PowerShell, cmd, WMI) over third‑party binaries.

Encrypt lateral traffic and limit request frequency.

Mask malicious processes by injecting into trusted processes.

Schedule activities during off‑hours to reduce visibility.

3.4 Core Lateral‑Movement Techniques

Credential reuse

Pass‑the‑Hash (PTH) : requires SMB on the target, a valid NTLM hash (usually Administrator), and Windows Vista+ where only the Administrator hash works for elevation.

sekurlsa::pth /user:administrator /domain:WORKGROUP /ntlm:YOURHASH

Then use psexec or RDP to the target.

Pass‑the‑Ticket (PTT) : in a domain, export a Kerberos ticket ( sekurlsa::tickets /export) and inject it ( kerberos::ptt ticket.kirbi) to access any service without passwords.

Password reuse : try collected credentials on other hosts; many environments reuse local admin passwords across machines.

Exploitation

SMB vulnerabilities (e.g., EternalBlue MS17‑010) via Metasploit or custom exploits.

RPC remote‑code‑execution flaws (e.g., CVE‑2021‑26855).

Web application bugs (SQL injection, file upload) on internal services.

Abuse of legitimate tools

WMI :

wmic /node:TARGET /user:USER /password:PASS process call create "cmd.exe /c whoami"

PowerShell : remote script execution, credential‑stealing modules, or establishing reverse shells.

RDP : after opening port 3389 via host‑firewall rule changes, log in with stolen credentials and clear RDP logs.

4. Practical Red‑Team Scenario

Initial foothold: phishing email grants a low‑privilege user on workstation 192.168.1.15.

Boundary bypass: deploy reGeorg on the workstation, tunnel internal traffic through allowed port 80 to the external server.

Internal reconnaissance: discover a management machine 192.168.1.100 that can reach the application segment; extract the workstation’s Administrator NTLM hash via an obfuscated mimikatz run.

Jump‑host acquisition: use the hash in a Pass‑the‑Hash attack to obtain admin rights on 192.168.1.100, thereby bypassing the segmentation firewall.

Cross‑segment channel: install frp on the management machine, forward ports 445 and 1433 to local high ports (8888/9999) and adjust the host firewall to allow them.

Application‑segment lateral movement: via the forwarded ports, access an app server 192.168.2.50 using the previously harvested credentials; verify connectivity to the core DB segment.

Core DB compromise: retrieve DB credentials from the app server’s configuration files; modify the host firewall to open 1433, then connect with a SQL client and obtain database admin rights.

Cleanup: remove tunneling tools, delete logs, restore original firewall rules, and purge injected Kerberos tickets to leave no trace.

The overall lesson is that successful internal penetration relies on understanding firewall rule logic, exploiting configuration weaknesses, and reusing legitimate credentials rather than on “magic” exploits.