NMAP Scanning Tutorial : Bypassing the Firewalls and IDS/IPS
This post is for penetration testers that face issues with scanning the Corporate networks with firewalls deployed and are unable to bypass the Firewall or an IDS/IPS .
Firewall is generally a software or hardware to protect private network from public network.This is a trouble maker for the Penetration testers as they are not able to bypass this added layer of security .
Well the good news here is that we can use Nmap options to bypass the firewalls , IDS/IPS .
If a penetration tester can bypass firewall then half game is won for the penetration tester. In this tutorial you will learn how to bypass and test firewall using the NMAP options.
NMAP options to Bypass the Firewall :
• -f (fragment packets):
This option is to make it harder to detect the packets. By specifying this option once, Nmap will split the packet into 8 bytes or less after the IP header. This makes the detection of Nmap sent packets difficult .
• –mtu:
With this option, you can specify your own packet size fragmentation. The Maximum Transmission Unit (MTU) must be a multiple of eight or Nmap will give an error and exit. This helps in Firewall Evasion .
• -D (decoy):
By using this option, Nmap will send some of the probes from the spoofed IP addresses specified by the user. The idea is to mask the true IP address of the user in the logfiles. The user IP address is still in the logs. You can use RND to generate a random IP address or RND:number to generate the IP address. The hosts you use for decoys should be up, or you will flood the target. Also remember that by using many decoys you can cause network congestion, so you may want to avoid that especially if you are scanning your client network.
• –source-port or –g (spoof source port):
This option will be useful if the firewall is set up to allow all incoming traffic that comes from a specific port.
• –data-length:
This option is used to change the default data length sent by Nmap in order to avoid being detected as Nmap scans.
• –max-parallelism:
This option is usually set to one in order to instruct Nmap to send no more than one probe at a time to the target host.
• –scan-delay
This option can be used to evade IDS/IPS that uses a threshold to detect port scanning activity. Setting the Scan delay is always a good idea when you want to evade any security device .
Sources : Nmap.org
http://nmap.org/book/man-bypass-firewalls-ids.html