Nmap from Scratch | Part-8 | Firewall/IDS Evasion and Spoofing

A3h1nt
5 min readDec 25, 2020

--

Hey folks, I hope you’ll are doing well, and Merry Christmas !!

I am happy that you made it to part-8, it’s time for you to learn some cool techniques which can be helpful to evade firewall or IDS, to spoof an IP address, etc.

So let’s get started

This scan causes Nmap to split the TCP header over several different tiny frames which makes it difficult for IDS/IPS and firewall to detect the scan.

SYNTAX:

nmap -f nmap.scanme.org

For example, if the size of TCP header is 24 byte, then it would be split into 3 parts, each of size 8 byte, you can also specify your own size using -mtu option, but the size should be a multiple of eight, remember don’t use -f with -mtu, use one at a time.

On analyzing the packets we can see the difference

for command:

nmap nmap.scanme.org -p 22

Wireshark Output:

for command:

nmap -f nmap.scanme.org -p 22

Wireshark Output:

We can see a difference of 16 bytes, which can make the scan go undetected by low some security devices.

Decoy scan is one of the scans which can help you hide your IP address, in this you’ll need to specify multiple IP addresses, as a result, the target IDS will report multiple IP addresses and would not know which one’s are innocent and which one’s are not.

SYNTAX:

nmap -D [IP-1],[IP-2],[IP-3] target.com

I have a very interesting way to demonstrate this scan, so I have two different virtual machines, one is Backbox and the second machine is Debian.

Backbox is the target system and Debian is the attacker system.

Now, I have used an IPS/IDS system called SNORT ( which is really cool and you should definitely learn it ), on Backbox and I’ll do scans from Debian.

Scan 1 : Without the Decoy option

command:

nmap 172.20.10.3 -p 22 #172.20.10.3 is IP of the target(BackBox)

I have defined a rule in snort, which will generate alerts if someone tries to scan port 22.

Rule:

On scanning, alert is generated

From the generated alerts, you can see that someone from IP 172.20.10.4 performed a scan on port 22. Since the IP of the attacker is known from the logs, it is very easy to trace back the attacker.

Scan 2: With Decoy Option

Command:

nmap -D 36.89.188.123,116.203.182.126 172.20.10.3 -p 22 #The IP's mentioned above are chosen from free proxy list

On scanning, alert is generated

There’s a significant difference in logs generated with decoy scan, the logs generated shows that there have been multiple scans on port 22 by three different IP’s, which would confuse the sysadmin from identifying the real culprit, and that’s why this scan is so cool and important ( just in case you are doing something malicious, which you should not until or unless you have permission ).

This scan is really cool, but it’s not something that’ll help you during penetration testing, spoof scan allows users to spoof their source address, but since the spoofed source address would be different from the real source address. Hence, the results will go to the spoofed IP and not our IP.

There are two more options that we will need to specify if we don’t want to reveal our source address.

SYNTAX:

nmap [Spoofed-Source-IP] [Target] -Pn -e [Interface] -Pn : To directly perform port scan ( don't ping ) -e : Specify the network interface

Example:

nmap www.microsoft.com www.apple.com -Pn -e eth0

The above example means “Microsoft.com did a port scan on apple.com”.

The same can be demonstrated with SNORT as well.

Nmap allows us to change the source port, it can be useful in evading firewall, rules can be defined in Firewall to block or allow connection on the basis of the port number. This option allows us to circumvent this.

SYNTAX:

nmap --source-port [SOURCE-PORT] nmap.scanme.org or nmap -g [SOURCE-PORT] nmap.scanme.org

SYNTAX:

nmap --proxies [PROXY-URL] nmap.scanme.org

This option is not recommended because it’s still under development and can reveal the real source IP.

Rules can be defined in SNORT to detect packets on the basis of packet size, using the Dsize option, the packet size can be changed in Nmap using this option. It basically appends random data to the packets.

SYNTAX:

nmap --data-length 100 nmap.scanme.org

On analysing the output using Wireshark

We can see len as 100.

We can specify any ASCII string to append it to the packet, this can be useful to deliver a message to the target.

SYNTAX:

nmap --data-string "your text" nmap.scanme.org

Example:

nmap --data-string "Hey guys merry Christmas !!" nmap.scanme.org -p 22

Analysing the packet in Wireshark

In practice, this can be useful when a company highers a penetration tester to test their systems and give his/her a code that needs to be included in each scan so that the company can easily identify the scans from an authorized person (penetration tester).

There are other options as well, to spoof MAC address but I don’t recommend it because there are other tools that can do it better than Nmap.

This is it for this blog guys, there’s not much left in Nmap for me to cover now, I’ll probably write two more blogs about it, the next one for different output options and the last one for my recommended command when using Nmap.

If you have any doubts or you think this blog needs any correction, contact me at A3h1nt.

Merry Christmas again, enjoy your day!

Originally published at http://a3h1ntnotebook.wordpress.com on December 25, 2020.

--

--