We covered different types of Nmap scans that can be used to evade Firewall and IDS detection. We discussed packet fragmentation, decoy scan, stealth scanand proxy scans. We used public sources to perform the expirement.

Blue Team Study Notes

Splunk SIEM Full Course with Practical Scenarios

Highlights

Goals of Firewall & IPS/IDS Evasion

There are several scenarios in which you might find yourself in need to bypass an existing IDS such as Snort. It depends on what you are or at which stage in the cyber kill chain during your interaction with the target. Overall an IDS/IPS might be a problem most commonly during:

  • Port scanning
  • Data Exfiltration
  • First foothold (shell)

Firewall & IPS/IDS Evasion Methods

  1. Evasion via Protocol Manipulation
  2. Evasion via Payload Manipulation
  3. Evasion via Route Manipulation
  4. Evasion via Tactical Denial of Service (DoS)

Nmap Scans Methods to Evade Firewall Detection

  • FIN scan against stateless firewall
  • Changing Source Port using -g option
 nmap -sU -Pn -g 53 -F 10.10.10.1
  • Using IPv6 scans
  • Fragementation using –f option
nmap -f 10.10.10.1
# the packet is split into 3 fragments
 nmap --mtu 24 10.10.10.1
# MTU must be a multiple of 8
  • Proxy Scans
nmap -sS HTTP://PROXY_HOST1:8080,SOCKS4://PROXY_HOST2:4153
10.10.10.1

This way, you would make your scan go through HTTP proxy host1, then SOCKS4 proxy host2, before reaching your target.

  • Mac Address Spoofing
nmap --spoof-mac Cisco 10.10.10.1
 # Spoofing Cisco MAC addresses
  • Scan Delay using the option –scan-delay <time>ms
  • Zombie Scans
nmap -sI 10.10.10.5 10.10.10.1
 # Here we make the scan as if it originiates from 10.10.10.5
  • Alternative to Zombie scan is Decoy scan using the option -D or using proxy scan

Video Walkthrough

,
Show Comments

Motasem

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles