We covered different types of Nmap scans that can be used to evade Firewall and IDS detection. We discussed packet fragmentation, decoy scan, stealth scanand proxy scans. We used public sources to perform the expirement.
Splunk SIEM Full Course with Practical Scenarios
Goals of Firewall & IPS/IDS Evasion
There are several scenarios in which you might find yourself in need to bypass an existing IDS such as Snort. It depends on what you are or at which stage in the cyber kill chain during your interaction with the target. Overall an IDS/IPS might be a problem most commonly during:
- Port scanning
- Data Exfiltration
- First foothold (shell)
Firewall & IPS/IDS Evasion Methods
- Evasion via Protocol Manipulation
- Evasion via Payload Manipulation
- Evasion via Route Manipulation
- Evasion via Tactical Denial of Service (DoS)
Basic TCP Scan
The video starts with a basic TCP Connect scan using the nmap -sT command. This scan sends ICMP packets to check if the target host is live and then attempts to connect to open ports. However, firewalls typically log ICMP traffic, which can raise alerts.
To avoid triggering alerts, the video demonstrates using the -Pn option to skip the ICMP ping process before scanning, which reduces the chances of detection by firewalls that block ICMP.
Nmap Scans Methods to Evade Firewall Detection
- FIN scan against stateless firewall
- Changing Source Port using -g option
nmap -sU -Pn -g 53 -F 10.10.10.1
- Using IPv6 scans
- Fragementation using –f option
nmap -f 10.10.10.1
# the packet is split into 3 fragments
nmap --mtu 24 10.10.10.1
# MTU must be a multiple of 8
- Proxy Scans
nmap -sS HTTP://PROXY_HOST1:8080,SOCKS4://PROXY_HOST2:4153
10.10.10.1
This way, you would make your scan go through HTTP proxy host1, then SOCKS4 proxy host2, before reaching your target.
- Mac Address Spoofing
nmap --spoof-mac Cisco 10.10.10.1
# Spoofing Cisco MAC addresses
- Scan Delay using the option –scan-delay <time>ms
- Zombie Scans
nmap -sI 10.10.10.5 10.10.10.1
# Here we make the scan as if it originiates from 10.10.10.5
- Alternative to Zombie scan is Decoy scan using the option -D or using proxy scan
The SYN Scan (nmap -sS) is introduced as a stealthier option. This scan only sends SYN packets without completing the TCP three-way handshake, which makes it harder for firewalls to log the connection. The SYN scan is a common technique to avoid being logged while still identifying open ports.
The Fragmentation Scan (nmap -f) splits packets into smaller fragments, making it harder for IDS/IPS systems to detect the full packet. The fragmented packets are reassembled at the target, helping to bypass some intrusion detection systems that rely on signature matching.
The Decoy Scan technique (nmap -D) is used to obscure the true source of the scan by generating decoy IP addresses alongside the attacker’s real IP. This can confuse IDS logs by making it look like multiple IP addresses are performing the scan, making it harder to trace back to the real attacker.
Proxy Scanning
The video also covers using proxies to hide the attacker’s IP address. By routing the scan through a proxy server (--proxies option), the target sees the proxy’s IP address instead of the attacker’s, providing an additional layer of anonymity.
The video emphasizes combining techniques, such as using SYN scans, fragmentation, and proxies together to maximize stealth. This combination can reduce detection by firewalls and prevent logs from alerting administrators to the scan.
