In the last part, we looked at OS and service version detection along with a few timing options that help in speeding up or slowing down scans according to need. In this post, we'll look at Nmap options that will help you evade firewalls and Intrusion Detection Systems (IDS).
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
nikhilh@ubuntu:~$ sudo nmap -d --mtu 1504 scanme.nmap.org
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
Fragmented Packets
- Packets containing malicious payload would be instantly detected by IDS and dropped.
- For this reason, packets can be broken down into multiple fragments so that when the IDS examines each packet, they seem harmless. This applies to those types of IDS which don't re-assemble packets before examining them.
- Once the packets are re-assembled at the target host, the malicious payload will be effectively delivered.
This type of scan (or fragscan) requires sudo privileges. This option fragments the packet into multiple 8-byte fragments.
nikhilh@ubuntu:~$ sudo nmap -d -f scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 07:52 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Final times for host: srtt: 48065 rttvar: 70016 to: 328129
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 21.53 seconds
Raw packets sent: 2014 (88.540KB) | Rcvd: 736 (29.440KB)
On Windows systems, an additional option --send-eth is required for fragmented packets to be transmitted. With this option, Nmap sends packets at the raw Ethernet layer rather than at the IP layer. Microsoft has disabled raw socket support on Windows OS.
Set Maximum Transmission Unit (MTU)
MTU is the maximum size of a packet which can be handled by the network.
- On an average, most Ethernet networks have an MTU size of 1500 bytes.
- Sending a packet with higher MTU size than what the network can handle will lead to packet drops.
- MTU size must always be a multiple of 8 (which is 1 byte)
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 08:32 PDT
...
...
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 128
80/tcp open http syn-ack ttl 128
9929/tcp open nping-echo syn-ack ttl 128
31337/tcp open Elite syn-ack ttl 128
Final times for host: srtt: 52299 rttvar: 87551 to: 402503
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 22.42 seconds
Raw packets sent: 2011 (88.416KB) | Rcvd: 1579 (63.164KB)
In the above snippet, I used a MTU of 1504 which is more than 1500. So, how did this work? Nmap hands over the 1504 byte packet to the Network Interface Card (NIC) of the local system which then fragments the packets.
Using a Decoy
Using this option, it can be made to seem that the target system is being scanned by multiple systems at the same time. This allows the true IP to be "lost in the crowd". Using a lot of decoys is not advisable because that will cause network congestion.
nikhilh@ubuntu:~$ nmap -d -D RND:10 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:17 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds
It is also possible to specify a comma-separated list of decoy IP addresses.
Set a source port
Firewalls block incoming connections based on the application port number, transport layer protocol and more. To get around any source port restriction, it is possible to spoof the port number and get past the firewall.
It is important to note that this option is not compatible with TCP Connect scan (-sT option). This option can also be specified as -g.
nikhilh@ubuntu:~$ sudo nmap -d -sS --source-port 3389 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:23 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 13:23
...
...
Discovered open port 22/tcp on 45.33.32.156
...
...
Final times for host: srtt: 28093 rttvar: 41588 to: 194445
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 23.81 seconds
Raw packets sent: 2012 (88.456KB) | Rcvd: 478 (19.124KB)
Add payload data
When Nmap sends packets there is no payload data; the packets are empty. In some cases, adding payload data can solicit a response from the target system.
nikhilh@ubuntu:~$ nmap -d --data-length 16 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:31 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 18.62 seconds
In the above situation, 16 bytes of payload data will be added to each packet that Nmap sends.
Scan Multiple Hosts in Random Order
To avoid detection by intrusion detection systems, it is advisable to always scan multiple hosts in a random order. This option is especially useful when scanning multiple systems on the same subnet.
nikhilh@ubuntu:~$ nmap -d --randomize-hosts scanme.nmap.org 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:43 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Not shown: 996 filtered ports
Reason: 993 no-responses and 3 host-unreaches
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
...
...
Nmap scan report for localhost (127.0.0.1)
Host is up, received conn-refused (0.00013s latency).
Scanned at 2018-08-24 13:43:48 PDT for 0s
Not shown: 999 closed ports
...
...
Nmap done: 2 IP addresses (2 hosts up) scanned in 69.02 seconds
Spoof MAC address
The MAC address is your identity on the LAN. If you can change that, you've effectively changed your identity and the benefits of that are obvious. For one, you can get past MAC filtering, provided you know which MAC addresses are blocked.
nikhilh@ubuntu:~$ nmap -d --spoof-mac 0 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 14:03 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
Spoofing MAC address F1:31:59:C6:60:C9 (No registered vendor)
...
...
31337/tcp open Elite syn-ack
Final times for host: srtt: 82422 rttvar: 15862 to: 145870
Read from /usr/local/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 16.59 seconds
It is also possible to specify a vendor-specific MAC address.
nikhilh@ubuntu:~$ nmap -d --spoof-mac vmware scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 14:46 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
Spoofing MAC address 00:05:69:CA:56:27 (VMware)
...
...
Read from /usr/local/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 22.01 seconds
Idle Zombie Scan
Idle zombie scan is a combination of packet forging and scanning, making it the ultimate stealth scan. This concept is based on tracking fragment identification number (IP ID) and that this number increases whenever a system sends a packet.
It is important to note that the zombie used must be truly idle. Since Nmap, by default pings the target host before scanning, it is advisable to use -Pn option to prevent the initial ping.
While I cannot demonstrate this concept because I don't have an available zombie host, here is the command construction:
nikhilh@ubuntu:~$ sudo nmap -d -Pn -sI <zombie-ip> scanme.nmap.org
That's it for part 7! Evading firewalls and IDS is very important to ensure that your scanning attempts stay hidden from the target network's administrators. If there are any questions, leave them in the comments below and I'll get back to you as soon as I can!
In the next (and final) part, we'll look at some of the output file types that Nmap provides.
That's it for part 7! Evading firewalls and IDS is very important to ensure that your scanning attempts stay hidden from the target network's administrators. If there are any questions, leave them in the comments below and I'll get back to you as soon as I can!
In the next (and final) part, we'll look at some of the output file types that Nmap provides.