What is one of the first things to do in a ethical hack?  Ec-council suggests information gathering. While that is very true, that is becoming less requested. Usually you are given your target information from the get go. Seems like more and more organizations want you to get right to it and dont want to spend money on what they perceive  as "extras".  A good place to start is to inspect the firewall rules of your target. There are some simple tests to do right at the start. These tests are old school and work mostly if its an improperly configured iptables firewall.

Depending on the test enviroment, we are not going to be too worried about being stealth, so we will begin with the traditional traceroute or tracert command to the target. Simply "traceroute victims ip."  This in return should give you a return of astericks. This usually is a sign that the firewall is preventing packets from leaving the target. This is normal because most firewalls filter diagnostic ICMP packets.

 We attempt to "fool" the firewall by using TCP packets and Hping2 is great for that. We enter "hping2 -T -t 1 -S -p 80 victims IP"  With a little luck we get a response. 

 The next scans we perform are with nmap.  For a fast scan we use nmap -sS -F -n -O victimsIP. We might try just a simple test of the firewall rules with "nmap -v -sA -ff -r -n victimsIP" If we have the time and this can sometimes take an hour or so but is very complete, we use nmap -v -g53 -sS -sR -P0 -O -p1-65000 -o nmap.out victimsIP.  I like the -g switch, which lets you set the source port.  You can test for misconfigured rules that allow packets based on source ports, such as ftp data (port 20), dns lookups (port 53) or return http traffic (port 80). This is an important scan because one mistake many administrators make when creating rules for allowing traffic through their firewall is to trust traffic based simply on its source port number, such as DNS replies from port 53 or FTP from port 20.   Other switches I like are -sA and -PO for firewall scanning. If you are trying to avoid IDS logging, use the default -rH, which is a randomized port order. This, combined with slow timing options, will make network monitoring hard to detect the scan. As an example we might try, nmap -sS --scan-delay 500 -f -rH victimsIP.

 We might even be able to slip through if the organization  has devices connecting to the internet. This scan will test for devices like routers, printers,switches,etc.. map -vv -sS -O -n victimsIP/24 -oA inventory. With a little luck you might get an inventory of devices.

Ok now that we have managed to discover active ports we might be able to breach the server with a simple tool like Fpipe with fpipe -l 53 -s 53 -r 80 victimsIP. Its rare to work but when it does its sweet because it can be shocking to an organization when they have just implemented their new shiny firewall that was never configured to be breached by a couple of free tools.
 
The idea of these scans is to test for misconfigured firewalls. If the rules are in place correctly we wont get results. Auditing the firewall is a very crucial and good first place to start your ethical hacking session.

Awesome tutorial, thanks Kev. This scans will work for misconfigured packet filter firewalls. To mitigate this problem use a well configured stateful or proxy firewall. Because stateful firewalls keep track of the state of network connections, using these simple scans will usually not work.

Nice tutorial. Kudos to Kev (and also to Fyodor and Antirez).