Member-only story
Firewall Evasion Techniques using Nmap
Introduction
There are several opportunities to test network penetration. These penetration tests are typically carried out by businesses in order to ascertain whether or not their network and all of the devices that are connected to their internal network are secure and up to date in accordance with the policies that they have established.
Imagine that a firm has hired you to conduct a network-based penetration test for them, but all you have is a list of IP addresses, and even then, the corporation isn’t entirely sure how many IP addresses are used internally because there is always the possibility that there are more.
If you haven’t developed your own approach, the first thing you’ll do is scan all of the IP addresses and all of the services that are operating on these IP addresses. If that doesn’t work, the next step is to design your own methodology. As soon as you have access to the services that are operating, you will be able to individually search for vulnerabilities and attempt to exploit them. But now things begin to take an unexpected turn. You will probably run into a firewall at some point, and it is possible that it will discard the packets that nmap generates (or any other port scanner).
Now what to do?
It turns out there are some methods that you can use to evade firewalls. Though all might not work depending upon the hardening applied on the firewall, it is worth giving a try.
Out of the many evasion techniques, we’ll be discussing 2 here and a few more in the next blog post.
- TCP Stealth Scan, Null Scan, FIN Scan, Xmas Scan
- Evading Firewall by controlling the Source IP address, proxy, Mac Address and the Source Port Number.
Method 1
Change Scan Types
Take a look at the image given above. This is a typical TCP packet. When you try to communicate, via the TCP standard, these packets are sent. If not explicitly mentioned, Nmap will also use TCP packets to scan the target. TCP headers have certain flags set…
