Firewall and IDS Evasion with NMAP | Pra ...

Firewall and IDS Evasion with NMAP | Practical Scenario

Apr 16, 2024

We covered different types of Nmap scans that can be used to evade Firewall and IDS detection. We discussed packet fragmentation, decoy scan, stealth scanand proxy scans. We used public sources to perform the expirement.

Highlights

Goals of Firewall & IPS/IDS Evasion

There are several scenarios in which you might find yourself in need to bypass an existing IDS such as Snort. It depends on what you are or at which stage in the cyber kill chain during your interaction with the target. Overall an IDS/IPS might be a problem most commonly during:

  • Port scanning

  • Data Exfiltration

  • First foothold (shell)

Firewall & IPS/IDS Evasion Methods

  1. Evasion via Protocol Manipulation

  2. Evasion via Payload Manipulation

  3. Evasion via Route Manipulation

  4. Evasion via Tactical Denial of Service (DoS)

Nmap Scans Methods to Evade Firewall Detection

  • FIN scan against stateless firewall

  • Changing Source Port using -g option

 nmap -sU -Pn -g 53 -F 10.10.10.1
  • Using IPv6 scans

  • Fragementation using –f option

nmap -f 10.10.10.1
# the packet is split into 3 fragments
 nmap --mtu 24 10.10.10.1
# MTU must be a multiple of 8
  • Proxy Scans

nmap -sS HTTP://PROXY_HOST1:8080,SOCKS4://PROXY_HOST2:4153
10.10.10.1

This way, you would make your scan go through HTTP proxy host1, then SOCKS4 proxy host2, before reaching your target.

  • Mac Address Spoofing

nmap --spoof-mac Cisco 10.10.10.1
 # Spoofing Cisco MAC addresses
  • Scan Delay using the option –scan-delay <time>ms

  • Zombie Scans

nmap -sI 10.10.10.5 10.10.10.1
 # Here we make the scan as if it originiates from 10.10.10.5
  • Alternative to Zombie scan is Decoy scan using the option -D or using proxy scan

Video Walkthrough

Vous aimez cette publication ?

Achetez un pizza à Motasem Hamdan / MasterMinds Group

Plus de Motasem Hamdan / MasterMinds Group

ConfidentialitéConditionsSignaler