Nmap has different options to :-
-
1) Fragment Packets:-
This technique was very effective especially in the old days
however you can still use it if you found a firewall that is not
properly configured.The Nmap offers that ability to fragment the packets
while scanning with the -f option so it can bypass the packet
inspection of firewalls.
root@kali:~/Desktop# nmap -f 192.168.1.50
-
2) Use a specific MTU:-
- Nmap is giving the option to the user to set a specific MTU (Maximum Transmission Unit) to the packet.This is similar to the packet fragmentation technique that we have explained above.
- During the scan that size of the nmap will create packets with size based on the number that we will give.In this example we gave the number 24 so the nmap will create 24-byte packets causing a confusion to the firewall.Have in mind that the MTU number must be a multiple of 8 (8,16,24,32 etc).
- You can specify the MTU of your choice with the command –mtu number target.
root@kali:~/Desktop# nmap –mtu 24 192.168.1.50
-
3) Use Decoy addresses:-
In this type of scan you can instruct Nmap to spoof packets from
other hosts.In the firewall logs it will be not only our IP address but
also and the IP addresses of the decoys so it will be much harder to
determine from which system the scan started.There are two options that
you can use in this type of scan:-
-
root@kali
:~/Desktop# nmap -D RND:10 [target] (Generates a random number of decoys)
-
root@kali
:~/Desktop# nmap -D decoy1,decoy2,decoy3 etc. (Manually specify the IP addresses of the decoys)
-
root@kali
:~/Desktop# nmap –D 192.168.1.40,192.168.1.45 192.168.1.50
-
root@kali
:~/Desktop# nmap -D RND:10 [target] (Generates a random number of decoys)
-
4) Idle Zombie Scan:-
-
This technique allows you to use another host on the network
that is idle in order to perform a port scan to another host.The main
advantage of this method is that it very stealthy because the firewall
log files will record the IP address of the Zombie and not our
IP.However in order to have proper results we must found hosts that are
idle on the network.
-
Metasploit framework has a scanner that can help us to
discover hosts that are idle on the network and it can be used while
implementing this type of scan.
msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(ipidseq) > set RHOST 192.168.1.2-192.168.1.50
-
using this scanner you can find which IP is idle in the
network and are potential candidate for use on an idle Zombie Scan. In
order to implement an Idle Zombie scan we need to use the command :-
root@kali:~/Desktop# nmap -sI [Zombie IP] [Target IP]
-
This technique allows you to use another host on the network
that is idle in order to perform a port scan to another host.The main
advantage of this method is that it very stealthy because the firewall
log files will record the IP address of the Zombie and not our
IP.However in order to have proper results we must found hosts that are
idle on the network.
-
5) Source port number specification:-
A common error that many administrators are doing when
configuring firewalls is to set up a rule to allow all incoming traffic
that comes from a specific port number.The –source-port option of Nmap
can be used to exploit this misconfiguration.Common ports that you can
use for this type of scan are: 20,53 and 67
root@kali:~/Desktop# nmap –source-port 53 scanme.nmap.org
-
6) Append Random Data:-
- Many firewalls are inspecting packets by looking at their size in order to identify a potential port scan. This is because many scanners are sending packets that have specific size.In order to avoid that kind of detection you can use the command –data-length to add additional data and to send packets with different size than the default.
- In the below nmap command we have changed the packet size by
adding 25 more bytes. By default the packet size is 58 bytes but after
adding 25 more bytes the packet size will be 83 bytes.
root@kali:~/Desktop# nmap –data-length 25 192.168.1.50
-
7) Scan with Random Order:-
o In this technique you can scan a number of hosts in random order and not sequential.The command that you use to instruct Nmap to scan for host in random order is –randomize-hosts. o This technique combined with slow timing options in nmap command can be very effective when you don’t want to alert firewalls. o root@kali:~/Desktop# nmap –randomize-hosts 192.168.1.50-80
-
8) MAC Address Spoofing:-
- Another method for bypassing firewall restrictions while doing a port scan is by spoofing the MAC address of your host.This technique can be very effective especially if there is a MAC filtering rule to allow only traffic from certain MAC addresses so you will need to discover which MAC address you need to set in order to obtain results.
- Specifically the –spoof-mac option gives you the ability to
choose a MAC address from a specific vendor,to choose a random MAC
address or to set a specific MAC address of your choice.Another
advantage of MAC address spoofing is that you make your scan more
stealthier because your real MAC address it will not appear on the
firewall log files.
- Specify MAC address from a Vendor —-> –spoof-mac Dell/Apple/3Com
- Generate a random MAC address —-> —spoof-mac 0
-
Specify your own MAC address —-> —spoof-mac 00:01:03:25:46:AK
-
root@kali
:~/Desktop# nmap -sT -Pn –spoof-mac Dell 192.168.1.50
-
9) Send Bad Checksums:-
- Checksums are used by the TCP/IP protocol to ensure the data integrity. However sending packets with incorrect checksums can help you to discover information from systems that is not properly configured or when you are trying to avoid a firewall.
- You can use the command nmap –badsum IP in order to send packets with bad checksums to your targets.If you didn’t get any results. It means that the system is suitable configured.
No comments:
Post a Comment
Thank you for your comment. Will try to react as soon as possible.
Regards,
Networ King