Bypassing Firewalls: Attacking Port 80

TL;DR

Even if a firewall blocks direct access to port 80 (HTTP), attackers can still reach the web server. This guide explains common techniques like port forwarding, reverse proxies, tunnelling, and exploiting other services to bypass the firewall.

Solution Guide: Attacking Port 80 with Firewall Restrictions

1. Understand the Setup
   • The target server only allows incoming connections on port 22 (SSH).
   • You want to attack a web application running on port 80 of that server.
   • This means direct connection attempts to port 80 will be blocked by the firewall.
2. Port Forwarding (If Possible)

   If you have access to another machine *inside* the network where the target server resides, you can use it as a bridge.

   • Configure port forwarding on that internal machine. This redirects traffic from its own port (e.g., 8080) to the target server’s port 80.
   • Connect to the internal machine’s port 8080, which will then forward your requests to the target server’s port 80.

   # Example using iptables (Linux) on the internal machine:
   sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination :80

3. Reverse Proxy (If Possible)

   Similar to port forwarding, but often more robust. Requires access to an internal machine.

   • Set up a reverse proxy server (e.g., Nginx or Apache) on the internal machine.
   • Configure the proxy to forward requests to the target server’s port 80.
   • Access the web application through the reverse proxy’s public IP address and port.
4. SSH Tunnelling

   This is a common technique if you have SSH access to the target server.

   • Create an SSH tunnel that forwards a local port on your machine to the target server’s port 80.

   ssh -L 8080:localhost:80 @

   • Now you can access the web application by connecting to http://localhost:8080 in your browser. All traffic goes through the SSH connection, bypassing the firewall.
5. Exploit Other Services

   Look for other services running on the target server that *are* accessible (e.g., FTP, SMTP).

   • FTP Bounce Attack: If FTP allows connections from anywhere, an attacker can potentially use it to bounce attacks through the server. This is less common now due to security improvements in FTP servers.
   • SMTP Relay: If SMTP is misconfigured, it might be possible to relay emails containing malicious payloads that could indirectly affect port 80 (e.g., by sending spam that overwhelms the web server).
6. WebSockets and other Protocols

   The web application might use WebSockets or other protocols that tunnel through port 443 (HTTPS).

   • If HTTPS is allowed, investigate if the application uses these protocols. You may be able to exploit vulnerabilities in them.
7. Social Engineering

   Convince someone with access to the network to open port 80 temporarily or permanently.

   • This is a non-technical approach but can be effective.
8. DNS Tunneling (Advanced)

   A more complex technique involving encoding data within DNS queries and responses. Requires control over the DNS records for the target domain.

   • This is often used to exfiltrate data, but can sometimes be adapted for command and control.