We covered different types of Nmap scans that can be used to evade Firewall and IDS detection. We discussed packet fragmentation, decoy scan, stealth scanand proxy scans. We used public sources to perform the expirement.
Splunk SIEM Full Course with Practical Scenarios
Highlights
Goals of Firewall & IPS/IDS Evasion
There are several scenarios in which you might find yourself in need to bypass an existing IDS such as Snort. It depends on what you are or at which stage in the cyber kill chain during your interaction with the target. Overall an IDS/IPS might be a problem most commonly during:
- Port scanning
- Data Exfiltration
- First foothold (shell)
Firewall & IPS/IDS Evasion Methods
- Evasion via Protocol Manipulation
- Evasion via Payload Manipulation
- Evasion via Route Manipulation
- Evasion via Tactical Denial of Service (DoS)
Nmap Scans Methods to Evade Firewall Detection
- FIN scan against stateless firewall
- Changing Source Port using -g option
nmap -sU -Pn -g 53 -F 10.10.10.1
- Using IPv6 scans
- Fragementation using –f option
nmap -f 10.10.10.1
# the packet is split into 3 fragments
nmap --mtu 24 10.10.10.1
# MTU must be a multiple of 8
- Proxy Scans
nmap -sS HTTP://PROXY_HOST1:8080,SOCKS4://PROXY_HOST2:4153
10.10.10.1
This way, you would make your scan go through HTTP proxy host1, then SOCKS4 proxy host2, before reaching your target.
- Mac Address Spoofing
nmap --spoof-mac Cisco 10.10.10.1
# Spoofing Cisco MAC addresses
- Scan Delay using the option –scan-delay <time>ms
- Zombie Scans
nmap -sI 10.10.10.5 10.10.10.1
# Here we make the scan as if it originiates from 10.10.10.5
- Alternative to Zombie scan is Decoy scan using the option -D or using proxy scan
Video Walkthrough