Nmap - Firewall Evasion Techniques

nmap - firewall evasion techniques

Nmap - Firewall Evasion Techniques

 |   |  0
Hacking Cyber World

Nmap-Firewall Evasion Techniques

  • As a penetration tester you will come across with systems that are behind firewalls.
  • So you will need to avoid the firewall rules that are in place and to discover information about a host.
  • This step in a penetration testing called Firewall Evasion Rules.
  • Nmap is offering a lot of options about Firewall evasion.

Fragmentation scanning

  • Instead of just sending the probe packet, you break it into a couple of small IP fragments.
  • You are splitting up the TCP header over several packets to make it harder for packet filters and so forth to detect what you are doing.
  • The -f switch instructs the specified SYN or FIN scan to use tiny fragmented packets.
  • This technique was very effective especially in the old days however you can still use it if you found a firewall that is not properly configured.
  • Fragmentation scanning - Nmap –f ip_target
  • Specify Specific MTU

    • Nmap is giving the option to the user to set a specific MTU (Maximum Transmission Unit) to the packet.
    • This is similar to the packet fragmentation technique.
    • During the scan, nmap will create packets with size based on the number that we will give.
    • In this example we gave the number 24, so the nmap will create 24-byte packets causing a confusion to the
    • firewall.
    • Have in mind that the MTU number must be a multiple of 8 (8,16,24,32 etc). Specify Specific MTU
    • Command: nmap –mtu number target_ip

    Use Decoy Addresses

    • In this type of scan you can instruct Nmap to spoof packets from other hosts.
    • In the firewall logs it will be not only our IP address, but also the IP addresses of the decoys.
    • So it will be much harder to determine from which system the scan started.
    • There are two options that you can use in this type of scan:
    • – Generates 10 random number of decoys: nmap -D RND:10 [target_ip]
    • – Manually specify the IP addresses of the decoys: nmap -D decoy1,decoy2,decoy3, …


    • Firewalk gathers information about a remote network protected by a firewall
    • Purpose :
    • – Mapping open ports on a firewall

      – Mapping a network behind a firewall

      If the firewall’s policy is to drop ICMP ECHO Request/Reply this technique is very effective.


      How Does Firewalking Work?

      It uses a traceroute-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device.

      Traceroute is dependent on IP layer (TTL field), any transport protocol can be used the same way (TCP, UDP, and ICMP).

      What Firewalking Needs?

      – The IP address of the last known gateway before the firewall takes place. • Serves as WAYPOINT – The IP address of a host located behind the firewall. • Used as a destination to direct packet flow Firewalking • Getting the Waypoint – If we try to traceroute the machine behind a firewall and get blocked by an ACL filter that prohibits the probe, the last gateway which responded (the firewall itself can be determined) – Firewall becomes the waypoint. • Getting the Destination – Traceroute the same machine with a different traceroute-probe using a different transport protocol. – If we get a response • That particular traffic is allowed by the firewall. • We know a host behind the firewall. – If we are continuously blocked, then this kind of traffic is blocked. – Sending packets to every host behind the packetfiltering device can generate an accurate map of a network’s topology.

      Nmap NSE Firewalk (1)

      • Tries to discover firewall rules using an IP TTL expiration technique known as firewalking. • To determine a rule on a given gateway, the scanner sends a probe to a metric located behind the gateway, with a TTL one higher than the gateway. If the probe is forwarded by the gateway, then we can expect to receive an ICMP_TIME_EXCEEDED reply from the gateway next hop router, or eventually the metric itself if it is directly connected to the gateway. Otherwise, the probe will timeout.

      Idle Zombie Scan

      • This technique allows you to use another host on the network that is idle in order to perform a port scan to another host. • The main advantage of this method is that it is very stealthy, because the firewall log files will record the IP address of the Zombie and not our IP. • However, in order to have proper results, we must found hosts that are idle on the network. • Metasploit framework has a scanner that can help us to discover hosts that are idle on the network and it can be used while implementing this type of scan. • Nmap’s IPID Idle scanning allows us to be a little stealthy scanning a target while spoofing the IP address of another host on the network. • In order for this type of scan to work, we will need to locate a host that is idle on the network and uses IPID sequences of either Incremental or Broken Little-Endian Incremental. • Metasploit contains the module ‘scanner/ip/ipidseq’ to scan and look for a host that fits the requirements. • Based on the scan result we get from metasploit, we will use the hosts that have IPID Sequence class = Incremental as our Zombie hosts. • Command: Nmap –sI zombie_ip target_ip or Nmap –Pn –sI ip_zombie –v ip_target

      Source Port Number Specification

      • A common error that many administrators are doing when configuring firewalls is to set up a rule to allow all incoming traffic that comes from a specific port number. • The –source-port option of Nmap can be used to exploit this misconfiguration. • Common ports that you can use for this type of scan are: 20,53 and 67. Source Port Number Specification • Command: nmap –source-port 53 ip_target

      Append Random Data

      • Many firewalls are inspecting packets by looking at their size in order to identify a potential port scan. • This is because many scanners are sending packets that have specific size. • In order to avoid that kind of detection you can use the command –data-length to add additional data and to send packets with different size than the default. • In the next slide we have changed the packet size by adding 25 more bytes. • The size of a typical packet that nmap sends to the target is 58 bytes. Append Random Data • Command: nmap –data-length length_number ip_target

      Scan with Random Order

      • In this technique you can scan a number of hosts in random order and not sequential. • The command that you use to instruct Nmap to scan for hosts in random order is –randomizehosts. • This technique combined with slow timing (-T) options in nmap command can be very effective when you don’t want to alert firewalls. • Command: nmap –randomize-hosts ip_target

      MAC Address Spoofing

      • Another method for bypassing firewall restrictions while doing a port scan is by spoofing the MAC address of your host. • This technique can be very effective especially if there is a MAC filtering rule to allow only traffic from certain MAC addresses, so you will need to discover which MAC address you need to set in order to obtain results. • Specifically, the –spoof-mac option gives you the ability to choose a MAC address from a specific vendor, to choose a random MAC address or to set a specific MAC address of your choice. • Another advantage of MAC address spoofing is that you make your scan more stealthier because your real MAC address will not appear on the firewall log files. MAC Address Spoofing • Command: – Specify MAC address from a Vendor: nmap — spoof-mac Dell/Apple/3Com ip_target – Generate a random MAC address: nmap –spoofmac 0 ip_target – Specify your own MAC address: nmap –spoof-mac 00:01:02:25:56:AE ip_target

      Send Bad Checksums

      • Checksums are used by the TCP/IP protocol to ensure the data integrity. • However sending packets with incorrect checksums can help you discover information from systems that is not properly configured or when you are trying to avoid a firewall. • You can use the command nmap –badsum IP_target in order to send packets with bad checksums to your targets. • In the next image we didn’t get any results, this means that the system is correctly configured. Send Bad Checksums • Command: nmap –badsum ip_target

    0 Claps

    Show your love in the form of Claps and Comments...


    No comments found. Leave your reply here.