Question

Nmap has several options to bypass detection. What scanning techniques or flags can help avoid being blocked or logged by firewalls or intrusion detection systems?

Answer 1

​Nmap offers several techniques to help evade detection by firewalls and Intrusion Detection Systems (IDS). These methods adjust scanning behavior to minimize the likelihood of triggering security defenses. It's essential to use these techniques responsibly and only on networks you have explicit permission to test.​

1. Packet Fragmentation: Dividing probe packets into smaller fragments can sometimes bypass packet inspection by firewalls and IDS that may not reassemble fragmented packets properly.​

• Nmap Flags:

  • -f: Enables fragmentation by splitting packets into 8-byte fragments.

  • --mtu <value>: Specifies a custom Maximum Transmission Unit (MTU); the value must be a multiple of 8.​

• Example:

  • nmap -f <target_ip>​

  • nmap --mtu 16 <target_ip>

• Consideration: Some modern IDS/IPS solutions can reassemble fragmented packets, rendering this technique less effective.​

2. Decoy Scanning: This method involves spoofing multiple IP addresses during a scan to obscure the origin of the scan, making it challenging for the IDS to identify the actual source.​

• Nmap Flag:

  • -D <decoy1,decoy2,...,ME,...>: Specifies decoy IP addresses; ME represents your real IP address's position among the decoys.​

• Example:

  • nmap -D 192.168.1.2,192.168.1.3,ME,192.168.1.4 <target_ip>​

• Consideration: Ensure that the use of decoy IPs complies with legal and ethical guidelines, as it can implicate innocent hosts.​

3. Idle (Zombie) Scan: Utilizes a "zombie" host to scan the target, making the scan appear as though it originates from the zombie, thereby masking the attacker's identity.​

• Nmap Flag:

  • -sI <zombie_ip>: Performs an idle scan using the specified zombie host.

• Example:

  • nmap -sI 192.168.1.100 <target_ip>​

• Consideration: The zombie host must meet specific criteria, such as having a predictable IP ID sequence.​

4. Source Port Manipulation: Some firewalls allow traffic from trusted ports (e.g., 80 for HTTP). By setting the source port to a commonly allowed port, scans might bypass filtering rules.​

• Nmap Flag:

  • --source-port <port_number> or -g <port_number>: Sets the source port number.​

• Example:

  • nmap --source-port 80 <target_ip>​

• Consideration: This technique exploits misconfigurations and may not be effective against well-configured firewalls.​

5. Scan Timing and Delays: Adjusting the timing of scans can help avoid detection by IDS systems that flag rapid, successive connections.​

• Nmap Flags:

  • --scan-delay <time>: Specifies a delay between packets.​

  • --max-parallelism <number>: Limits the number of probes sent in parallel.​

• Example:

  • nmap --scan-delay 500ms --max-parallelism 1 <target_ip>

• Consideration: Slowing down the scan reduces the likelihood of detection but increases the total scan time.​

6. MAC Address Spoofing: Altering the source MAC address can help evade detection, especially in networks that filter or log traffic based on MAC addresses.​

• Nmap Flag:

  • --spoof-mac <mac_address or vendor_name>: Spoofs the MAC address.

• Example:

  • nmap --spoof-mac 00:11:22:33:44:55 <target_ip>​

  • nmap --spoof-mac Apple <target_ip>​

• Consideration: MAC spoofing is more effective on local networks and may not be applicable for scans over the internet.​

7. Randomizing Target Scan Order: Randomizing the order in which targets are scanned can prevent IDS from detecting sequential scanning patterns.​

• Nmap Flag:

  • --randomize-hosts: Randomizes the target host order.​

• Example:

  • nmap --randomize-hosts -iL targets.txt​

• Consideration: This is particularly useful when scanning multiple hosts to avoid pattern detection.​

By employing these Nmap techniques, security professionals can effectively evaluate and enhance the resilience of network defenses against sophisticated scanning methods.