Firewall/IDS Evasion
TCP ACK Scan
This command performs a TCP ACK scan on ports 445 and 3389, assuming no ping (-Pn) to avoid firewall blockage of ICMP requests.
Filtered in place of closed: If a port scan result shows "filtered" instead of "closed," this indicates that a firewall is likely filtering the traffic. It means that the ACK packet couldn't determine the state of the port because the firewall blocks or drops packets.
Unfiltered: If the result shows "unfiltered," this suggests no firewall in place, and the ACK packet reaches the destination port without interference.
Firewall/IDS Evasion Techniques
These techniques are used to bypass firewalls or intrusion detection systems by modifying how the scan packets are constructed and sent.
Fragmentation
Nmap can break scan packets into smaller fragments to evade simple firewalls that inspect only the first fragment of a packet. By sending fragmented packets, it can bypass shallow packet inspection mechanisms.
You can specify the minimum transmission unit (MTU) size for each fragmented packet. Smaller MTU sizes result in more packet fragments, making detection harder.
Nmap uses a minimum fragment size of 8 bytes by default.
Decoy Scanning
The decoy option allows the use of multiple spoofed IP addresses to disguise the true source of the Nmap scan. The real scan comes from the attacker's IP, but it appears to come from several decoy IPs, making it harder for the target to identify the true attacker.
This command sends a stealth scan with version detection on ports 445 and 3389. It also sends fragmented packets (-f
), with 200 bytes of additional random data to further obfuscate the packet. The scan appears to originate from a decoy IP (-D
).
TTL Manipulation
The Time-to-Live (TTL) field can be set manually, controlling how long packets are allowed to travel before being dropped. Setting a custom TTL may help evade firewalls or trick intrusion detection systems into misinterpreting the packet's origin.
Sets the TTL of the packets to 64. This is a common TTL value for packets from Linux/Unix-based systems, which can help mimic legitimate traffic.
Source Port Manipulation
You can change the source port used by Nmap to avoid detection. For example, setting the source port to 80 or 443 (common web service ports) can help evade firewalls or IDSs that whitelist these ports.
This command performs a stealth scan on ports 445 and 3389, but uses port 80 as the source port to mimic regular web traffic.
Last updated