Evading Firewalls - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 8: Evading Firewalls

Overview

Firewalls and intrusion prevention systems are designed to prevent tools like Nmap from getting an accurate picture of the systems they are protecting. Nmap includes a number of features designed to circumvent these defenses. This section discusses the various evasion techniques built into Nmap.

Summary of features covered in this section:

-f
Fragment Packets

--mtu
Specify a Specific MTU

-D
Use a Decoy

-sI
Idle Zombie Scan

--source-port
Manually Specify a Source Port

--data-length
Append Random Data

--randomize-hosts
Randomize Target Scan Order

--spoof-mac
Spoof MAC Address

--badsum
Send Bad Checksums

Fragment Packets

The -f option is used to fragment probes into 8-byte packets.

Usage syntax: nmap -f [target]

# nmap -f 10.10.4.26

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 10:59 CST

Nmap scan report for 10.10.4.26

Host is up (0.000024s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

25/tcp open smtp

80/tcp open http

111/tcp open rpcbind

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds

Scanning a target using fragmented packets

The -f option instructs Nmap to send small 8-byte packets thus fragmenting the probe into many very small packets. This option isn’t particularly useful in everyday situations. It may be helpful, however, when attempting to evade some older or improperly configured firewalls.

Tip: Some host operating systems may require the use of --send-eth combined with -f for fragmented packets to be properly transmitted.

Specify a Specific MTU

The --mtu option is used to specify a custom MTU (Maximum Transmission Unit).

Usage syntax: nmap --mtu [number] [target]

# nmap --mtu 16 10.10.4.26

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:00 CST

Nmap scan report for 10.10.4.26

Host is up (0.000019s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

25/tcp open smtp

80/tcp open http

111/tcp open rpcbind

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds

Specifying a specific MTU

The --mtu option is similar to the -f option except it allows you to specify your own MTU to be used during scanning. This creates fragmented packets that can potentially confuse some firewalls. In the above example, the --mtu 16 argument instructs Nmap to use tiny 16-byte packets for the scan.

Note: The MTU must be a multiple of 8 (example 8, 16, 24, 32, etc).

Tip: Some host operating systems may require the use of --send-eth combined with --mtu for fragmented packets to be properly transmitted.

Use a Decoy

The -D option can be used to mask an Nmap scan by creating one or more decoys.

Usage syntax: nmap -D [decoy1,decoy2,etc|RND:number] [target]

# nmap -D RND:10 10.10.3.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:05 CST

Nmap scan report for 10.10.3.1

Host is up (0.00073s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 52.56 seconds

Masking a scan using 10 randomly generated decoy IP addresses

When performing a decoy scan, Nmap will spoof additional packets from the specified number of decoy addresses. This effectively makes it appear that the target is being scanned by multiple systems simultaneously. Using decoys allows the actual source of the scan to “blend into the crowd” which makes it harder to trace where the scan is coming from.

In the above example, nmap -D RND:10 instructs Nmap to generate 10 random decoys. You can also specify decoy addresses manually using the following syntax: nmap -D decoy1,decoy2,decoy3,etc.

Warning: Using too many decoys can cause network congestion and reduce the effectiveness of a scan. Additionally, some systems may be configured to filter spoofed traffic which will reduce the effectiveness of using decoys to cloak your scanning activity.

Idle Zombie Scan

The -sI option is used to perform an idle zombie scan.

Usage syntax: nmap -sI [zombie host] [target]

# nmap -Pn -sI 10.10.4.44 10.10.4.26

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:13 CST

Idle scan using zombie 10.10.4.44 (10.10.4.44:80); Class: Incremental

Nmap scan report for 10.10.4.26

Host is up (0.049s latency).

Not shown: 994 closed|filtered ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

25/tcp open smtp

80/tcp open http

111/tcp open rpcbind

443/tcp open https

MAC Address: 00:50:56:BA:28:6F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.99 seconds

Using an idle “zombie” to scan a target

The idle zombie scan is a unique scanning technique that allows you to exploit an idle system and use it to scan a target system for you. In this example 10.10.4.44 is the zombie and 10.10.4.26 is the target system. This scan works by exploiting the predictable IP sequence ID generation employed by some systems. In order for an idle scan to be successful, the zombie system must truly be idle at the time of scanning.

Tip: Idle network printers make great zombies.

Note: With this scan no probe packets are sent from your system to the target, although an initial ping packet will be sent to the target unless you combine -Pn with -sI.

Manually Specify a Source Port Number

The --source-port option is used to manually specify the source port number of a probe.

Usage syntax: nmap --source-port [port] [target]

# nmap --source-port 53 scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:14 CST

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up (0.24s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

9929/tcp open nping-echo

Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds

Manually specifying the packet source port number

Every TCP segment contains a source port number in addition to a destination. By default, Nmap will randomly pick an available outgoing source port to probe a target. The --source-port option will force Nmap to use the specified port as the source for all packets. This technique can be used to exploit weaknesses in firewalls that are improperly configured to blindly accept incoming traffic based on a specific port number. Port 20 (FTP), 53 (DNS), and 67 (DHCP) are common ports susceptible to this type of scan.

Tip: The -g option is a shortcut that is synonymous with --source-port.

Append Random Data

The --data-length option can be used to append random data to probe packets.

Usage syntax: nmap --data-length [number] [target]

# nmap --data-length 25 10.10.3.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:15 CST

Nmap scan report for 10.10.3.1

Host is up (0.17s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 7.16 seconds

Padding a scan with random data to avoid detection

Nmap normally sends empty packets when performing a port scan. The --data-length option adds the specified amount of random data as a payload to each packet. This can occasionally produce a response where an empty packet might not. In the above example 25-bytes are added to all packets sent to the target.

Note: Payloads larger than 1400 are larger than many systems' MTU and may not be sent successfully. Nmap will allow you to attempt this, but will display a warning message for any value above 1400.

Randomize Target Scan Order

The --randomize-hosts option is used to randomize the scanning order of the specified targets.

Usage syntax: nmap --randomize-hosts [targets]

$ nmap -F --randomize-hosts 10.10.4.1-50

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:19 CST

Nmap scan report for 10.10.4.34

Host is up (0.0026s latency).

Not shown: 98 closed ports

PORT STATE SERVICE

22/tcp open ssh

443/tcp open https

Nmap scan report for 10.10.4.15

Host is up (0.00078s latency).

Not shown: 98 closed ports

PORT STATE SERVICE

80/tcp open http

443/tcp open https

Nmap scan report for 10.10.4.25

Host is up (0.00034s latency).

Not shown: 98 closed ports

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

Nmap scan report for 10.10.4.21

Host is up (0.0033s latency).

Not shown: 97 closed ports

PORT STATE SERVICE

21/tcp open ftp
[...]

Scanning systems in a random order

The --randomize-hosts option can help prevent scans of multiple targets behind the same firewall from being detected by intrusion detection algorithms. This is done by scanning them in a random order instead of sequential. Combining this technique with the previously discussed timing options can further help prevent tripping any alarms.

Spoof MAC Address

The --spoof-mac option is used to spoof the MAC (Media Access Control) address of an ethernet device.

Usage syntax: nmap --spoof-mac [vendor|MAC|0] [target]

$ nmap -PN --spoof-mac 0 10.10.4.26

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:22 CST

Spoofing MAC address 3F:54:1A:60:BF:B9 (No registered vendor)

Nmap scan report for 10.10.4.26

Host is up (0.0013s latency).

Not shown: 994 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

25/tcp open smtp

80/tcp open http

111/tcp open rpcbind

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

Using a spoofed MAC address

In this example, Nmap is instructed to forge a randomly generated MAC address. This makes your scanning activity harder to trace by preventing your real MAC address from being logged while scanning the target.

The --spoof-mac option can be controlled by the following parameters:

0 (zero)
Generates a random MAC address

Specific MAC Address
Uses the specified MAC address

Vendor Name
Generates a MAC address from the specified vendor (such as Apple, Dell, 3Com, etc)

Send Bad Checksums

The --badsum option is used to send packets with incorrect checksums to the specified host.

Usage syntax: nmap --badsum [target]

# nmap --badsum 10.10.4.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-17 11:25 CST

Nmap scan report for 10.10.4.1

Host is up (0.00043s latency).

All 1000 scanned ports on 10.10.4.1 are filtered

MAC Address: 00:13:3B:10:54:0E (Speed Dragon Multimedia Limited)

Nmap done: 1 IP address (1 host up) scanned in 21.36 seconds

Scanning a target using bad checksums

TCP and UDP use checksums to ensure data integrity. Crafting packets with bad checksums can, in some rare occasions, produce a response from a poorly designed system. In the above example we did not receive any results, meaning the target system adheres correctly to the TCP protocol. This is a typical result when using the --badsum option.

Note: Only a poorly designed system would respond to a packet with a bad checksum. Nevertheless, it is a good tool to use when auditing network security or attempting to evade firewalls.