Firewall/IDS Evasion

FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum

TCP ACK Scan

nmap -Pn -sA -p 445,3389 [IP]

This command performs a TCP ACK scan on ports 445 and 3389, assuming no ping (-Pn) to avoid firewall blockage of ICMP requests.

Filtered in place of closed: If a port scan result shows "filtered" instead of "closed," this indicates that a firewall is likely filtering the traffic. It means that the ACK packet couldn't determine the state of the port because the firewall blocks or drops packets.

Unfiltered: If the result shows "unfiltered," this suggests no firewall in place, and the ACK packet reaches the destination port without interference.

Firewall/IDS Evasion Techniques

These techniques are used to bypass firewalls or intrusion detection systems by modifying how the scan packets are constructed and sent.

Fragmentation

Nmap can break scan packets into smaller fragments to evade simple firewalls that inspect only the first fragment of a packet. By sending fragmented packets, it can bypass shallow packet inspection mechanisms.

nmap -Pn -sS -sV -F -f [IP]

You can specify the minimum transmission unit (MTU) size for each fragmented packet. Smaller MTU sizes result in more packet fragments, making detection harder.

nmap -Pn -sS -sV -F -f --mtu [SIZE] [IP]

Nmap uses a minimum fragment size of 8 bytes by default.

Decoy Scanning

The decoy option allows the use of multiple spoofed IP addresses to disguise the true source of the Nmap scan. The real scan comes from the attacker's IP, but it appears to come from several decoy IPs, making it harder for the target to identify the true attacker.

nmap -Pn -sS -sV -p445,3389 -f --data-length 200 -D [Decoy-IP] [IP]

This command sends a stealth scan with version detection on ports 445 and 3389. It also sends fragmented packets (-f), with 200 bytes of additional random data to further obfuscate the packet. The scan appears to originate from a decoy IP (-D).

TTL Manipulation

The Time-to-Live (TTL) field can be set manually, controlling how long packets are allowed to travel before being dropped. Setting a custom TTL may help evade firewalls or trick intrusion detection systems into misinterpreting the packet's origin.

nmap -Pn -sS -p 80 --ttl 64 [IP]

Sets the TTL of the packets to 64. This is a common TTL value for packets from Linux/Unix-based systems, which can help mimic legitimate traffic.

Source Port Manipulation

You can change the source port used by Nmap to avoid detection. For example, setting the source port to 80 or 443 (common web service ports) can help evade firewalls or IDSs that whitelist these ports.

nmap -Pn -sS -p445,3389 -g 80 [IP]

This command performs a stealth scan on ports 445 and 3389, but uses port 80 as the source port to mimic regular web traffic.