05/12/2018 Nmap – Techniques for Avoiding Firewalls | Penetration Testing Lab
Penetration Testing Lab REPORT THIS AD
Articles from the Pentesting Field
Home Pentesting Distros Resources Submissions Toolkit Contact the Lab
Password Security 101
Metasploit Framework Payload Commands
April 2, Nmap – Techniques for Avoiding Firewalls
2012 netbiosX Information Gathering Firewall, Firewall Evasion, Nmap 14
Comments
As a penetration tester you will come across with systems that are behind firewalls
and they are blocking you from getting the information that you [Link] you will
need to know how to avoid the firewall rules that are in place and to discover
information about a [Link] step in a penetration testing called Firewall Evasion
Rules.
Nmap is offering a lot of options about Firewall evasion so in this article we will
explore these options.
Fragment Packets
This technique was very effective especially in the old days however you can still use
it if you found a firewall that is not properly [Link] Nmap offers that ability
to fragment the packets while scanning with the -f option so it can bypass the
packet inspection of firewalls.
Fragment Packets - Nmap
In the next image we can see that Nmap is sending packets 8-bytes size when we
are doing a scan with the -f option.
Capture a fragment packet
Specify a specific MTU
Nmap is giving the option to the user to set a specific MTU (Maximum
Transmission Unit) to the [Link] is similar to the packet fragmentation
technique that we have explained [Link] the scan that size of the nmap will
create packets with size based on the number that we will [Link] this example we
Privacy & Cookies: This site uses cookies. By continuinggave
to use this
the website,24
number youso
agree
the to their will
nmap use. create 24-byte packets causing a confusion to
To find out more, including how to control cookies, seethe
here: Cookie Policy in mind that the MTU number must be a multiple of 8 (8,16,24,32
[Link]
etc). You can specify the MTU of your choice with the command –mtu number
target. Close and accept
[Link] 1/8
�05/12/2018 Nmap – Techniques for Avoiding Firewalls | Penetration Testing Lab
Specify a specific MTU to the packets
Use Decoy addresses
In this type of scan you can instruct Nmap to spoof packets from other [Link] the
firewall logs it will be not only our IP address but also and the IP addresses of the
decoys so it will be much harder to determine from which system the scan
[Link] are two options that you can use in this type of scan:
1. nmap -D RND:10 [target] (Generates a random number of decoys)
2. nmap -D decoy1,decoy2,decoy3 etc. (Manually specify the IP addresses
of the decoys)
Scanning with decoy addresses
In the next image we can see that in the firewall log files exist 3 different IP
[Link] is our real IP and the others are the decoys.
Log Files flooded with decoy addresses
You need to have in mind that the host that you will use as decoys must be online in
order this technique to [Link] using many decoys can cause network congestion
so you may want to avoid that especially if you are scanning the network of your
client.
Idle Zombie Scan
This technique allows you to use another host on the network that is idle in order to
perform a port scan to another [Link] main advantage of this method is that it
very stealthy because the firewall log files will record the IP address of the Zombie
and not our [Link] in order to have proper results we must found hosts that
are idle on the network.
Metasploit framework has a scanner that can help us to discover hosts that are idle
on the network and it can be used while implementing this type of scan.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
Close and accept
[Link] 2/8
�05/12/2018 Nmap – Techniques for Avoiding Firewalls | Penetration Testing Lab
Discover Zombies
As we can see from the above image the scanner has discovered that the IP
addresses [Link] and [Link] are idle on the network and are potential
candidates for use on an Idle Zombie [Link] order to implement an Idle Zombie
scan we need to use the command nmap -sI [Zombie IP] [Target IP]
Executing an Idle Scan
We can see the effectiveness of this scan just by checking the firewall [Link] we can
see the log files record the IP address of the Zombie host (SRC=[Link]) and
not our IP address so our scan was stealthy.
Firewall Log Files - Idle Scan
Source port number specification
A common error that many administrators are doing when configuring firewalls is
to set up a rule to allow all incoming traffic that comes from a specific port
[Link] –source-port option of Nmap can be used to exploit this
[Link] ports that you can use for this type of scan are: 20,53
and 67.
Source port scan
Append Random Data
Many firewalls are inspecting packets by looking at their size in order to identify a
potential port [Link] is because many scanners are sending packets that have
specific [Link] order to avoid that kind of detection you can use the command –
data-length to add additional data and to send packets with different size than the
[Link] the image below we have changed the packet size by adding 25 more
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
bytes.
To find out more, including how to control cookies, see here: Cookie Policy
Close and accept
[Link] 3/8
�05/12/2018 Nmap – Techniques for Avoiding Firewalls | Penetration Testing Lab
Adding random data to avoid detection
The size of a typical packet that nmap sends to the target is 58 bytes as you can see
in the image below.
Typical packet from nmap scan
With the command that we have used –data-length 25 we changed that value to
83 in order to avoid being discovered by firewalls that will check for the default
packet size that nmap generates.
A sample of a packet that we have add 25 more bytes to avoid detection
Scan with Random Order
In this technique you can scan a number of hosts in random order and not
[Link] command that you use to instruct Nmap to scan for host in random
order is –[Link] technique combined with slow timing options in
nmap command can be very effective when you don’t want to alert firewalls.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
Close and accept
[Link] 4/8
�05/12/2018 Nmap – Techniques for Avoiding Firewalls | Penetration Testing Lab
Scan hosts in random order
MAC Address Spoofing
Another method for bypassing firewall restrictions while doing a port scan is by
spoofing the MAC address of your [Link] technique can be very effective
especially if there is a MAC filtering rule to allow only traffic from certain MAC
addresses so you will need to discover which MAC address you need to set in order
to obtain results.
Specifically the –spoof-mac option gives you the ability to choose a MAC address
from a specific vendor,to choose a random MAC address or to set a specific MAC
address of your [Link] advantage of MAC address spoofing is that you
make your scan more stealthier because your real MAC address it will not appear
on the firewall log files.
Specify MAC address from a Vendor —-> –spoof-mac Dell/Apple/3Com
Generate a random MAC address —-> —spoof-mac 0
Specify your own MAC address —-> —spoof-mac [Link]
MAC address Spoofing
Send Bad Checksums
Checksums are used by the TCP/IP protocol to ensure the data [Link]
sending packets with incorrect checksums can help you to discover information
from systems that is not properly configured or when you are trying to avoid a
firewall.
You can use the command nmap –badsum IP in order to send packets with bad
checksums to your [Link] the image below we didn’t get any [Link] means
that the system is suitable configured.
Sending packets with bad checksum
You can see below a sample of a packet with bad checksum that we have sent:
A packet with bad checksum
Conclusion
We have seen that Nmap offers a variety of methods that it can be used to avoid a
Privacy & Cookies: This site uses cookies. By continuingfirewall
to use this website,
that existsyou
onagree to their use.
the network that we are scanning and to get proper results
To find out more, including how to control cookies, see here: Cookie Policy
from the target [Link] problem in many of the cases that we have seen is the bad
configuration of Firewalls that allowed us to get results from the [Link] in a
Close and accept
network that have IDS and firewalls properly configured many of the techniques
[Link] 5/8
�05/12/2018 Nmap – Techniques for Avoiding Firewalls | Penetration Testing Lab
may not [Link] situation is different so you need to decide which one will work
for you.
ADVERTISEMENT
Advertisements
REPORT THIS AD
REPORT THIS AD
Rate this:
18 Votes
Share this:
Twitter Facebook 6 LinkedIn Pinterest 1
Reddit Tumblr Google
Like
2 bloggers like this.
Related
Nmap Cheat Sheet Nmap Scripting Engine - Information Gathering
In "General Lab Notes" Basic Usage With Nmap
In "Information In "Information
Gathering" Gathering"
14 Comments (+add yours?)
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
anon
Apr 03, 2012 @ [Link]
Close and accept
[Link] 6/8
�05/12/2018 Nmap – Techniques for Avoiding Firewalls | Penetration Testing Lab
I just wanted to thank you for writing this entry. I really enjoyed the information
you posted. Isn’t nmap great?
REPLY
commonly over-looked Nmap techniques | hungry foolish
nerd
Apr 04, 2012 @ [Link]
Nathalie
Apr 04, 2012 @ [Link]
great summary!
REPLY
Security News « CyberOperations
Apr 07, 2012 @ [Link]
corehook
Apr 07, 2012 @ [Link]
Reblogged this on [Link] – information security specialist and commented:
Советую прочитать
REPLY
Alex
Apr 08, 2012 @ [Link]
Interesting article, never knew that you could specify a static MTU using nmap
REPLY
sdjeong
Apr 09, 2012 @ [Link]
thanks a lot. your information help to me so many. especially in nmap the -f option
is very good tip.
REPLY
danielweis
Apr 09, 2012 @ [Link]
Reblogged this on Daniel Weis's I.T Security Blog and commented:
Fantastic Post on Nmap Firewall evasion here, highly recommend the read, all
of these and more I perform on most pentests however, the best protection
against these is a good IPS.
REPLY
Nmap – Techniques for Avoiding Firewalls « Penetration
Testing Lab « vctecnologia
Jul 12, 2012 @ [Link]
Nmap – Techniques for Avoiding Firewalls « CoreNumb
Security
Nov 27, 2012 @ [Link]
Nmap, the Network Mapper | Doug Vitale Tech Blog
Jan 16, 2014 @ [Link]
Zer0byte
Jan 17, 2014 @ [Link]
Thank You
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
nmap -f [Link] did the trick for me
Close and accept
REPLY
[Link] 7/8
�05/12/2018 Nmap – Techniques for Avoiding Firewalls | Penetration Testing Lab
ariccobene
Mar 17, 2014 @ [Link]
Reblogged this on [Link] aka Ar10k1o and commented:
Nmap techniques
REPLY
dharmendra
May 26, 2014 @ [Link]
how to prevent from -f command so that it get detected by firewall
REPLY
Leave a Reply
Enter your comment here...
Password Security 101
Metasploit Framework Payload Commands
Blog at [Link].
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
Close and accept
[Link] 8/8
