How to Bypass Internal Firewalls and Achieve Lateral Privilege Movement?

1. Understand the Core Logic of Internal Firewalls

Internal firewalls enforce the principle of least privilege by matching rules and inspecting traffic. Their protection focus varies across three deployment scenarios.

1.1 Three Core Deployment Scenarios

Boundary firewall : placed between the Internet and the internal network; controls inbound/outbound traffic; key controls are port filtering, protocol filtering, and traffic detection.

Internal segmentation firewall : deployed between VLANs; isolates network segments; controls inter‑segment communication based on IP/MAC and allowed services.

Host firewall : runs on each host (Windows firewall, iptables, third‑party agents); protects the host from lateral attacks by limiting ports, processes, and inbound/outbound rules.

All firewalls share the same protection principle: rule matching + traffic detection. Bypass strategies therefore focus on evading rule matching or disguising traffic as legitimate.

2. Core Bypass Techniques and Tricks

2.1 Bypassing Boundary Firewalls

Technique 1 – Use legitimate ports : encapsulate malicious traffic in allowed ports such as 80/443. Example: deploy an HTTP tunnel (e.g., reGeorg, EarthWorm) on a compromised internal workstation and forward traffic through port 80 to an external server.

Technique 2 – Exploit rule configuration flaws : identify over‑open ports (e.g., 445, 135), priority mis‑configurations, or missing source IP restrictions and directly access internal hosts.

Technique 3 – Leverage legitimate services : use VPN, proxy, or mail servers with valid credentials to blend in with normal traffic.

Technique 4 – Tunnel technologies : when DPI blocks simple port tunneling, use DNS tunneling (dnscat2), ICMP tunneling, or SSL tunneling over port 443.

2.2 Bypassing Internal Segmentation Firewalls

Technique 1 – Jump‑host pivot : compromise a host that has access to multiple segments (e.g., a management workstation) and use it as a bridge.

Technique 2 – Exploit segment trust relationships : if two segments trust each other, traffic can flow freely without additional bypass.

Technique 3 – Modify segmentation firewall rules : when authorized, edit rules to open required ports or segments, ensuring changes are logged and reverted after testing.

2.3 Bypassing Host Firewalls

Technique 1 – Disable the host firewall (authorized testing only):

netsh advfirewall set allprofiles state off

service iptables stop   # Linux

Technique 2 – Modify host firewall rules to allow specific ports, e.g.:

netsh advfirewall firewall add rule name="Test" dir=in action=allow protocol=TCP localport=3389 remoteip=192.168.1.0/24

iptables -A INPUT -p tcp --dport 445 -s 192.168.2.0/24 -j ACCEPT

Technique 3 – Use legitimate processes (process injection or using svchost.exe to listen on needed ports).

Technique 4 – Exploit host firewall rule bugs : overly permissive inbound rules, rule conflicts, or loopback allowances.

3. After Bypass – Core Lateral Movement Path and Tricks

3.1 Preparation

Collect network topology, identify high‑value assets, and gather credentials (hashes, tickets, passwords).

Build lateral movement channels: jump‑host forwarding (e.g., frp), tunneling, or legitimate service usage.

Evade internal monitoring by limiting scan speed, using native tools (PowerShell, WMI), and cleaning logs.

3.2 Core Lateral Movement Techniques

Credential reuse (most common):

Pass‑the‑Hash (PTH): requires SMB open, NTLM hash of an admin account, and Windows Vista+ where only the built‑in Administrator hash works.

Pass‑the‑Ticket (PTT): requires domain environment and a valid Kerberos ticket (TGT) not expired.

Password reuse: try the same credentials on multiple hosts.

Vulnerability exploitation : SMB exploits (e.g., MS17‑010), RPC RCE, or internal web application flaws.

Abuse of legitimate tools : WMI, PowerShell, RDP, PsExec, etc., which are usually allowed by host firewalls.

3.3 Common Difficulties and Counter‑measures

Strict segmentation – look for cross‑segment devices (routers, VPN servers) or trust relationships.

Missing credentials – expand credential harvesting (browser cache, config files) or use social engineering.

Security monitoring – use low‑frequency scans, native tools, and clean logs after actions.

Hard‑to‑reach core hosts – search for hidden vulnerabilities, leverage trusted hosts, or resort to indirect data extraction.

4. Practical Scenario (Red‑Team Style)

Initial foothold: phishing email gives user‑level access on workstation 192.168.1.15.

Boundary firewall bypass: deploy reGeorg HTTP tunnel on the workstation, forward traffic through port 80.

Internal reconnaissance: discover management host 192.168.1.100, extract local admin NTLM hash via mimikatz.

Jump‑host takeover: use PTH with the extracted hash to gain admin rights on 192.168.1.100, bypassing the segmentation firewall.

Cross‑segment channel: run frp on the management host to forward ports 445 and 1433 of the application segment (192.168.2.0/24) to local ports 8888/9999.

Lateral move to application server 192.168.2.50 using password reuse; verify connectivity to core database segment via WMI.

Compromise core database server 192.168.3.20 by harvesting DB credentials from the application server and opening port 1433 on the host firewall.

Cleanup: remove tunnels, restore firewall rules, delete logs, and erase injected Kerberos tickets.

The key takeaway is that successful internal penetration relies on understanding firewall rule logic, exploiting configuration weaknesses, and reusing legitimate credentials rather than relying on exotic tools.

Source: 乌雲安全