Skip to content

10. Nmap Firewall Evasion(Decoys, MTU & Fragmentation)

1. Command: nmap -sS -F -D RND:3 192.168.0.1

  • Options Used:
    • -sS: Performs a SYN scan (stealthy and fast, sends SYN packets and checks for responses).
    • -F: Enables a fast scan mode by limiting the scan to commonly used 100 ports (from nmap-services file).
    • -D RND:3: Uses decoy mode with 3 random decoy IP addresses to obscure the source of the scan.
  • Explanation: This command performs a SYN scan on the 192.168.0.1 target, scanning the most commonly used 100 ports. It uses random decoy IPs to make it harder for the target to determine the real IP address of the scanner.

2. Command: nmap -sS -F -D 172.16.1.1 192.168.0.1

  • Options Used:

    • -sS: SYN scan.
    • -F: Fast scan.
    • -D 172.16.1.1: Uses the specific IP address (172.16.1.1) as a decoy.
    • Explanation: Similar to the first command, but instead of using random decoy IPs, a specific decoy IP address is provided (172.16.1.1). This decoy sends packets alongside the real scanner to confuse detection.

3. Command: nmap -sS -F -f --send-eth -D 172.16.1.1 192.168.0.1

  • Options Used:

    • -sS: SYN scan.
    • -F: Fast scan.
    • -f: Fragmentation; splits scan packets into smaller IP fragments to bypass firewalls or intrusion detection systems (IDS).
    • --send-eth: Forces Nmap to send raw Ethernet packets instead of using IP.
    • -D 172.16.1.1: Uses a specific decoy IP address.
    • Explanation: This command combines SYN scanning with packet fragmentation and raw Ethernet packet sending to bypass defenses like IDS. The decoy IP address (172.16.1.1) further obfuscates the scan source.

4. Command: nmap -sS -F --mtu 16 --send-eth -D 172.16.1.1 192.168.0.1

  • Options Used:

    • -sS: SYN scan.
    • -F: Fast scan.
    • --mtu 16: Sets the Maximum Transmission Unit (MTU) size to 16 bytes, creating very small packets to evade packet inspection.
    • --send-eth: Forces Nmap to send raw Ethernet packets.
    • -D 172.16.1.1: Uses a specific decoy IP address.
    • Explanation: This command further reduces packet size using the --mtu option, making it even harder for security systems to detect and analyze the traffic. The --send-eth ensures raw Ethernet packet sending, and the decoy IP adds obfuscation.

General Notes on Nmap Options:

  • -sS: Stealth scans avoid a full TCP handshake, reducing the likelihood of detection.
  • -F: Scans the most commonly used ports, making it faster.
  • -D: Uses decoys to mask the origin of the scan.
  • -f: Packet fragmentation to bypass detection mechanisms.
  • --mtu: Adjusts the MTU to control packet size, often used for evasion.
  • --send-eth: Forces the scan to operate at the Ethernet layer, useful for certain network configurations and evasion strategies.

Use Cases:

  • These commands are often employed during penetration testing to:
    1. Evade detection by firewalls and IDS.
    2. Mask the source of the scan.
    3. Test network defenses against obfuscated and fragmented traffic.