- Nmap provides different ways to bypass firewalls rules and IDS/IPS such as packet fragmentation, decoys, and others - FWs may either drop or reject packets base don handling rules - dropped = ignored with no resposne - rejected = respond with RST flag, which includes an ICMP error code - ICMP Error Codes - Net unreachable - Net prohibited - Host unreachable - Host prohibited - Port unreachable - Port prohibited - ISD/IPS are harder to detect than a FW because they are passive traffic monitoring systems ## TCP-ACK Scan versus TCP-SYN or TCP-Connect - `-sA` TCP-ACK scan is harder for FW or IDS/IPS to filter as opposed to regular TCP-SYN (default: `-sS`) or TCP-connect scans (`-sT`) - `-sA` only sends an ACK flag ```bash #for comparison try sudo nmap <target_ip> -p 80 -sA -Pn -n --disable-arp-ping --packet-trace sudo nmap <target_ip> -p 80 -sS -Pn -n --disable-arp-ping --packet-trace sudo nmap <target_ip> -p 80 -sT -Pn -n --disable-arp-ping --packet-trace ``` ## Decoys & Source IP Spoofing - Nmap generates various random IP addresses inserted into the IP header to disguise the origin of packets ```bash sudo nmap <target_ip> -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5 #generates 5 random IP addresses that for source of the packets ``` - can also specify a different source IP with `-S` flag and an interface with `-e` flag ```bash sudo nmap <target_ip> -p 80 -Pn -n -S <alt_source_ip> -e tun0 ``` ## DNS Proxying - `--dns-server <ns-1>, <ns-2>` to specify DNS nameserver - `--source port <port>` to specify source port for scans - useful for filtered ports ```bash sudo nmap <target_ip> -p <filtered_port> -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 #specify source port to spoof a DNS request ncat -nv --source-port 53 <target_ip> <filtered_port> ``` ## UDP Scan ```bash #try UDP scan if all else fails sudo nmap <target_ip> -p <filtered_port> -sU -Pn -n --disable-arp-ping --packet-trace ```