FireWalking to NetCat Client

[Ravenrx7]

Im trying to master the art of firewalking on a network I manage ( work at), with that said I understand fire-walking can reach past the FireWall with a TTL of 1. I have placed a client one hop away from the core firewall in hopes of using a firewalking cmd to reach that nc client on the port I assigned. Most of the videos onlne show, LAN to LAN nc conenctions, which is great but I think if we were comprised, the attack would be remote. My tools, Kali 1.0, Sonicwall FW and good ole Netcat.

[Ravenrx7]

I have 80,443 on the firewall but the listening port on the nc is 31337.

[digininja]

Your listening port has to be open on the firewall otherwise it just drops the packet.

[digininja]

and it doesn't matter if it is LAN to LAN or WAN to LAN, the key thing is the firewall being between the two networks, to it they are just two networks it separates.

[Ravenrx7]

okay and if you used a higher port than the 1024 normal ports, would that work? If I use port 80 or 443 which is open, that's basic web traffic how would I point to that internal IP on port 80?

[Ravenrx7]

Let me clarify, if port 80 is open this allows all internal clients to retrieve www. How can I specialize this packet to direct to a certain internal client?

[digininja]

I think you've got your directions the wrong way round, if you open port 80 on your firewall then that usually means you are allowing traffic in on port 80 not out.

If the firewall is setup to cover just a single IP then traffic on open ports passes straight through to the IP behind, if it is setup to to do NAT then you have to configure what internal IP and port the open port 80 is redirected to.

[Ravenrx7]

Correct, I understand on that portion about a one to one NAT. I wanted to see if there was a way around using a black hat method. What method would they take and how do I secure it?

[digininja]

If a port on the firewall is closed then you can't use another port to see through to it, that isn't what firewalking is about. If you want to probe the inside of a network from outside you need to find something to pivot off inside and then use that to poke at things. Here is more info on fire walking http://www.giac.org/paper/gsec/312/firewalk-attackers-firewall/100588

One way, at a stretch, is if you can get access to an app through which you can make HTTP requests, you can give it IPs and ports and then compare responses.