Part 3: Nmap Enumeration Series: Advanced Firewall Bypass Techniques
Hello Hackers,
Welcome to my part-3 of Nmap Enumeration Series, apologies for delay in continuing our series!. Today I’ll be showing you, how you can use nmap effectively to bypass/ evade firewall
“ Only For Educational Purpose”
so Let’s get started…..
№5: Fragementation ( `-f` , `--mtu`)
Fragmenting packets can help evade simple packet inspection mechanisms by splitting the packets into smaller fragments that may not be recognized by the firewall.
sudo nmap -f <target>- - f : This flag tells Nmap to fragment its packets before sending them to the target.
sudo nmap --mtu MTU_Size <target>- - -mtu: Allows you to specify the maximum transmission unit (MTU) size, which can be useful for fragmentation. Smaller MTU values result in smaller packets.
№4: Decoy Scan ( `-D`)
Using decoy addresses can confuse the firewall by making it appear as if the scan is coming from multiple IP addresses.
There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS(Intrusion Prevention System) should block us. For this reason, the Decoy scanning method (-D) is the right choice. With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent. With this method, we can generate random (RND) a specific number (for example: 5) of IP addresses separated by a colon (:). Our real IP address is then randomly placed between the generated IP addresses.
sudo nmap -D RND:5 <target>№3: Idle Scan ( `-sI`)
An idle scan uses a third-party “zombie” host to send packets to the target, making it difficult for the firewall to trace the origin of the scan.
nmap -sI <zombie_ip> <target>№2: Source Port Manipulation (`--source-port`)
Setting the source port to a commonly allowed port (e.g., port 53 for DNS or port 80 for HTTP) can bypass firewall rules that block unknown ports.
In Nmap, we can specify DNS servers ourselves using the --dns-server option. This can be crucial, especially in a demilitarized zone (DMZ), where company DNS servers are more trusted than those from the Internet. By specifying DNS servers, we can interact with internal network hosts securely. Additionally, we can use TCP port 53 as a source port (--source-port) for our scans. If the firewall doesn't filter IDS/IPS properly, our TCP packets may pass through without being blocked.
sudo nmap <target> --source-port <target-port>№1: HTTP / SOCKS Proxy (`-proxy` , ` — proxies`)
nmap --proxies http://<proxy_ip>:<proxy_port> <target>--proxies: Specifies one or more proxy servers to route the scan through. This allows you to conceal the true source of the scan and bypass firewall restrictions by routing the scan traffic through intermediary servers.
nmap --proxies socks4://<proxy_ip>:<proxy_port> <target>--proxy-type: Specifies the type of proxy server being used. Supported proxy types include HTTP, SOCKS4, and SOCKS5.
Hope the above scanning techniques helped you. Thanks for reading.
Meet you in the next blog.
Linkedin: Surya-Mathur
