From Basics to Pro: Nmap Explained (Part 2)

Nmap firewall evasion techniques can help bypass firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) that might block or log your scans. However, these techniques should be used ethically, with proper authorization: Below are techniques and strategies to evade detection:

• Timing and Throttling: Adjust scan timing (using -T0 to -T5) to appear less intrusive. Lower timings reduce detectability but extend scan duration. Employ --scan-delay to introduce delays between probes, further mimicking legitimate traffic patterns.
• Fragmentation: Break down scan packets into smaller fragments (using -f or --mtu) to make them harder for firewalls to reassemble and inspect.

Randomizing Techniques:

• Host Order: Disrupt IDS rate-limiting mechanisms by randomizing the scan order of targets (using --randomize-hosts).
• Decoys: Confuse IDS logs by sending scan packets from multiple spoofed IP addresses (using -D).

Spoofing Techniques:

• Source IP: Mask your real IP with a spoofed source IP (using -S) to obscure the scan origin. This may require elevated privileges and routing table adjustments.
• MAC Address: Impersonate a specific MAC address (using --spoof-mac) to bypass MAC-based filtering. Use --spoof-mac 0 for random MAC generation.

Protocol Evasion:

• Custom Source Port: Mimic legitimate traffic by using a specific source port (using --source-port). Common choices include port 53 (DNS) or 80 (HTTP).
• Raw Packet Scanning: Combine raw packet scanning with a specific network interface (using -S with -e) to bypass higher-level filtering.

Advanced Techniques:

• TTL Manipulation: Alter the Time-to-Live (TTL) value (using --ttl) to potentially circumvent firewall rules that filter based on hop limits.
• Proxy Chains: Route scan traffic through multiple proxies (using --proxies) for enhanced anonymity and evasion.
• Uncommon Protocols: Employ less frequent protocols like SCTP (using -sY) or ICMP (using -PE) to potentially bypass firewall rules designed for TCP/UDP scans.
• Application-Layer Techniques: Disguise scans as legitimate application traffic by appending random data to packets (using --data-length).
• DNS-Based Reconnaissance: Leverage DNS lookups (using -sL) for network discovery instead of direct scans, potentially evading firewall detection.

Most Commonly Used Commands

• Timing and Throttling: nmap -T2 -Pn <target> - Adjust scan timing to avoid detection.
• Custom MTU: nmap --mtu <value> <target> - Sets a custom MTU size for packet fragmentation.
• Randomized Host Order: nmap --randomize-hosts -iL <file> - Randomizes the order of targets.
• Decoys: nmap -D RND:10,ME <target> - Uses spoofed IPs to obfuscate the real scanner.
• Spoofed Source IP: nmap -S <spoofed-ip> <target> - Masks the scan source IP.
• MAC Address Spoofing: nmap --spoof-mac <mac> <target> - Impersonates a MAC address.
• Source Port Spoofing: nmap --source-port <port> <target> - Mimics legitimate traffic (e.g., DNS).
• Custom TTL: nmap --ttl <value> <target> - Manipulates TTL to bypass firewall rules.
• Proxy Chains: nmap --proxies <proxy-list> <target> - Routes scans through proxies for anonymity.
• IPv6 Scan: nmap -6 <target>
• Uncommon Protocols: nmap -PE <target> - Uses ICMP, SCTP, or other non-TCP/UDP protocols.
• Random Payloads: nmap --data-length <value> <target> - Adds arbitrary data to confuse IDS.
• DNS Enumeration: nmap -sL <target> - Performs DNS lookups instead of direct scans.
• Combined Techniques: nmap -f -T2 -D RND:5 --spoof-mac 0 --source-port 443 <target> - Combines multiple evasion tactics.

Conclusion

These Nmap commands demonstrate advanced firewall evasion techniques by leveraging packet fragmentation, timing adjustments, spoofing, decoys, proxy usage, and IPv6 scans. Combining these tactics effectively reduces the likelihood of detection by firewalls and IDS while enabling comprehensive network reconnaissance. Always ensure ethical use and proper authorization before applying these methods. To Learn More about Nmap,

From Basics to Pro: Nmap Explained (Part 1) and (Part 3).