We covered different types of Nmap scans that can be used to evade Firewall and IDS detection. We discussed packet fragmentation, decoy scan, stealth scanand proxy scans. We used public sources to perform the expirement.
Highlights
Goals of Firewall & IPS/IDS Evasion
There are several scenarios in which you might find yourself in need to bypass an existing IDS such as Snort. It depends on what you are or at which stage in the cyber kill chain during your interaction with the target. Overall an IDS/IPS might be a problem most commonly during:
Port scanning
Data Exfiltration
First foothold (shell)
Firewall & IPS/IDS Evasion Methods
Evasion via Protocol Manipulation
Evasion via Payload Manipulation
Evasion via Route Manipulation
Evasion via Tactical Denial of Service (DoS)
Nmap Scans Methods to Evade Firewall Detection
FIN scan against stateless firewall
Changing Source Port using -g option
nmap -sU -Pn -g 53 -F 10.10.10.1Using IPv6 scans
Fragementation using –f option
nmap -f 10.10.10.1
# the packet is split into 3 fragments
nmap --mtu 24 10.10.10.1
# MTU must be a multiple of 8Proxy Scans
nmap -sS HTTP://PROXY_HOST1:8080,SOCKS4://PROXY_HOST2:4153
10.10.10.1This way, you would make your scan go through HTTP proxy host1, then SOCKS4 proxy host2, before reaching your target.
Mac Address Spoofing
nmap --spoof-mac Cisco 10.10.10.1
# Spoofing Cisco MAC addressesScan Delay using the option –scan-delay <time>ms
Zombie Scans
nmap -sI 10.10.10.5 10.10.10.1
# Here we make the scan as if it originiates from 10.10.10.5Alternative to Zombie scan is Decoy scan using the option -D or using proxy scan
Video Walkthrough