Fragtunnel: The Undetectable TCP Tunneling Tool for Bypassing Next Generation Firewalls
Fragtunnel
Fragtunnel is a PoC TCP tunneling tool that exploits the design flaw that IDS/IPS engines and Next Generation Firewalls have; therefore, it can tunnel your application’s traffic to the target server and back while not being detected and blocked by Next Generation firewalls using Layer 7 application rules.
The issue
IDS/IPS engines used by the most next-generation firewalls allow a few packets of data to reach the destination while they collect enough information to make a verdict on whether they should allow or block the traffic. This is a design flaw that was discussed and published by different researchers within the last decade and can be exploited by malicious actors (if they were not already??). A few years ago, a few interesting findings made me curious about this funny behavior, and I did my research and wrote a simple PoC code without being aware of other researchers work. To learn more about the issue, you can check out the slides from my recent presentation on this topic: Bypassing NGFWs – BSides Vancouver 2024
How it works?
- Data received from your local application (tunnel client side) or from target server (tunnel server side)
- received data gets encoded/decoded (optional)
- then sliced into smaller fragments.
- each fragment gets sent one by one over the tunnel, each fragment within a new TCP session
- fragments coming out from tunnel gets merged to make original data
- finally, restored original data gets sent to its target (either to your application at local or to the target server)
Download & Use
Copyright (c) 2024 0xaefe
