Fragtunnel: The Undetectable TCP Tunneling Tool for Bypassing Next Generation Firewalls


Fragtunnel is a PoC TCP tunneling tool that exploits the design flaw that IDS/IPS engines and Next Generation Firewalls have; therefore, it can tunnel your application’s traffic to the target server and back while not being detected and blocked by Next Generation firewalls using Layer 7 application rules.

The issue

IDS/IPS engines used by the most next-generation firewalls allow a few packets of data to reach the destination while they collect enough information to make a verdict on whether they should allow or block the traffic. This is a design flaw that was discussed and published by different researchers within the last decade and can be exploited by malicious actors (if they were not already??). A few years ago, a few interesting findings made me curious about this funny behavior, and I did my research and wrote a simple PoC code without being aware of other researchers work. To learn more about the issue, you can check out the slides from my recent presentation on this topic: Bypassing NGFWs – BSides Vancouver 2024

How it works?

  • Data received from your local application (tunnel client side) or from target server (tunnel server side)
  • received data gets encoded/decoded (optional)
  • then sliced into smaller fragments.
  • each fragment gets sent one by one over the tunnel, each fragment within a new TCP session
  • fragments coming out from tunnel gets merged to make original data
  • finally, restored original data gets sent to its target (either to your application at local or to the target server)

Download & Use

Copyright (c) 2024 0xaefe