HakTip 102 – NMap 101: Fun With Firewalls!
Shannon Morse shares several commands you can use to evade firewalls and intrusion detection systems on NMap.
Welcome to HakTip — the show where we breakdown concepts, tools and techniques for hackers, gurus and IT ninjas. I’m Shannon Morse and today we’re going to go over evading firewalls in NMap!
Firewalls are put in place because of tools like NMap. NMap has the power to give you a mapping of a network system. You can see everything, from OS versions to open ports. Firewalls and intrusion detection systems are made to prevent NMap and other programs from getting that information. To evade these firewalls, we have several options. Let’s take a look.
Type this command: nmap -f 10.73.31.145. Also, you can type: nmap –send-eth -f 10.73.31.145. This command will send smaller 8-byte probes instead of a whole packet. There is also this command: nmap –mtu 8 10.73.31.145. MTU stands for Maximum Transmission Unit, which, although similar to -f, will allow you to specify the transmission. You can use any multiples of 8, so you can change your bytes to 8, 16, 32, 64, etc. I just scanned that target the the –mtu option, and 8-byte packets. You may need to add –send-eth to your command to make it work.
Type this command: nmap -D RND:10 10.73.31.145. This is the decoy option, that lets you scan using multiple decoy IP addresses. NMap will send several packets from several destinations with this command. To the target, it’ll look like it’s being scanned from several machines all at once, and the one actually doing the attack will be harder to find. You can also specify exact decoys be using this command: nmap -D decoy1,decoy2 RND:10 10.73.31.145.
You may also want to try the Idle Zombie scan, which will exploit an idle system by using it to scan your target. It’ll only work if the zombie is actually in an idle state when you run it. This command looks like: nmap -sI 10.73.31.55 10.73.31.145 (where 145 is my target, 55 is my zombie).
Other than specifying the byte size, we can also specify the source port number with: nmap –source-port 54 10.73.31.145. NMap usually picks random ports to send out a probe on. But this will force it to use a specific port. -g will also let you change your source port.
We’ll be back after this break!
We’re back with evading firewalls! Now, lets try this one: nmap –data-length 25 10.73.31.145. This adds random data to probe packets, because some targets look for a specific size of a packet to accept. The size is in bytes and can be any size.
You can also randomize your target scan by using: nmap –randomize-hosts 10.73.31.100-175. This is used to randomize your target scan order. And if you want to spoof a MAC address of an ethernet device, you can use: nmap -sT -PN –spoof-mac 0 10.73.31.145. The 0 means nmap will generate a random MAC address.
Lastly we have sending bad checksums. Use: nmap –badsum 10.73.31.145 to send packets with the incorrect checksums. TCP/IP uses checksums to make sure you are who you say you are. You won’t receive anything back though, meaning the system is probably substancially configured right.
And that’s it for evading firewalls! What would you like to see next about NMAP? Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.