Evade Firewalls and IDS with Nmap

Introduction

In this lab, you will learn how to evade firewalls and IDS using Nmap. The lab covers several techniques, including running decoy scans, fragmenting packets, spoofing IP addresses, adjusting scan rates, and combining these techniques. You will execute various Nmap commands in the Xfce terminal and verify the evasion results. Remember to use these techniques ethically and with proper authorization.

Run decoy scan with nmap -D RND:5 192.168.1.1

In this step, we will explore how to use decoy scanning with Nmap to obfuscate the source of our scan. Decoy scanning makes it appear as though the scan is originating from multiple IP addresses, making it harder to pinpoint the actual scanner.

The -D option in Nmap allows you to specify decoy IP addresses. The RND:5 argument tells Nmap to use 5 random, non-reserved IP addresses as decoys, in addition to your actual IP address.

Let's perform a decoy scan against a target. For demonstration purposes, we'll use 192.168.1.1 as the target IP address. Please note that 192.168.1.1 is a placeholder. In a real-world scenario, you would replace this with the actual IP address of the target you are authorized to scan.

Open your Xfce terminal and execute the following command:

sudo nmap -D RND:5 192.168.1.1

This command will initiate an Nmap scan against 192.168.1.1, using 5 random IP addresses as decoys. You will see Nmap's output in the terminal, showing the progress of the scan.

Example output (the specific output will vary depending on the target and network):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00043s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

Important Considerations:

• Ethical Use: Always ensure you have explicit permission to scan a network or system. Unauthorized scanning is illegal and unethical.
• Network Impact: Decoy scans can generate a significant amount of network traffic. Use them responsibly and avoid overloading the target network.
• Effectiveness: While decoy scans can make it more difficult to trace the origin of a scan, they are not foolproof. Sophisticated intrusion detection systems (IDS) may still be able to identify the real source.

Fragment packets with nmap -f 127.0.0.1

In this step, we will learn how to fragment packets using Nmap. Packet fragmentation involves dividing the TCP or UDP data into smaller pieces (fragments) before sending them to the target. This technique can be used to evade some firewalls or intrusion detection systems (IDS) that may not properly reassemble fragmented packets.

The -f option in Nmap enables packet fragmentation. By default, Nmap fragments packets into 8-byte chunks. You can specify a different MTU (Maximum Transmission Unit) size using -mtu <size>.

Let's perform a fragmented scan against the loopback address 127.0.0.1. This address always refers to the local machine, making it safe for testing.

Open your Xfce terminal and execute the following command:

sudo nmap -f 127.0.0.1

This command will initiate an Nmap scan against 127.0.0.1, fragmenting the packets. You will see Nmap's output in the terminal, showing the progress of the scan.

Example output (the specific output will vary depending on your system configuration):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000028s latency).
Other addresses for localhost: ::1

PORT     STATE SERVICE
139/tcp  closed netbios-ssn
445/tcp  closed microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

Explanation:

• sudo nmap: Executes Nmap with superuser privileges, which are often required for raw socket operations like packet fragmentation.
• -f: Enables fragmentation. Nmap will fragment the packets before sending them.
• 127.0.0.1: Specifies the target IP address (the loopback address).

Important Considerations:

• Firewall/IDS Evasion: Packet fragmentation can sometimes bypass simple firewalls or IDS that don't properly reassemble fragments. However, modern security devices are generally capable of handling fragmented packets.
• Performance Impact: Fragmentation can increase network overhead and potentially slow down the scan.
• MTU Option: You can use the -mtu option to specify a custom MTU size for the fragments. For example, nmap -f -mtu 32 127.0.0.1 would fragment packets into 32-byte chunks.

Spoof IP with nmap -S 192.168.1.100 192.168.1.1

In this step, we will explore how to spoof the source IP address of Nmap scans. IP address spoofing involves forging the source IP address in the packets sent by Nmap. This can be used to hide your actual IP address or to test network defenses.

The -S option in Nmap allows you to specify a source IP address. It's important to understand that spoofing IP addresses can have serious consequences and should only be done in authorized environments. Also, note that you typically won't receive responses to spoofed packets, as they will be sent to the spoofed address. Therefore, this technique is often used with "blind" scanning techniques like SYN scan (-sS) or connect scan (-sT) when you don't need to see the responses.

Let's perform a SYN scan with a spoofed IP address against a target. For demonstration purposes, we'll use 192.168.1.100 as the spoofed IP address and 192.168.1.1 as the target IP address. Please note that 192.168.1.1 is a placeholder. In a real-world scenario, you would replace this with the actual IP address of the target you are authorized to scan. Also, 192.168.1.100 is just an example, and you should choose an IP address that is not in use on your network to avoid conflicts.

Open your Xfce terminal and execute the following command:

sudo nmap -sS -S 192.168.1.100 192.168.1.1

This command will initiate an Nmap SYN scan against 192.168.1.1, using 192.168.1.100 as the spoofed source IP address. You will see Nmap's output in the terminal, showing the progress of the scan.

Example output (the specific output will vary depending on the target and network):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00029s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds

Explanation:

• sudo nmap: Executes Nmap with superuser privileges, which are required for raw socket operations like IP address spoofing.
• -sS: Specifies a SYN scan, which is a stealthy scan that doesn't complete the TCP handshake.
• -S 192.168.1.100: Specifies the spoofed source IP address.
• 192.168.1.1: Specifies the target IP address.

Important Considerations:

• Ethical Use: IP address spoofing should only be used in authorized environments for legitimate purposes, such as security testing.
• Root Privileges: Spoofing IP addresses requires root privileges.
• Limited Functionality: Because you won't receive responses to spoofed packets, you may need to use other techniques to gather information about the target.
• Network Configuration: Spoofing may not work if your network is configured to prevent it. Routers and firewalls often have mechanisms to prevent packets with spoofed source addresses from leaving the network.

Adjust rate with nmap --max-rate 100 192.168.1.1

In this step, we will learn how to control the scanning rate of Nmap. Adjusting the scanning rate is crucial for avoiding detection and preventing network congestion. Nmap provides several options to control the rate at which it sends packets.

The --max-rate option limits the number of packets Nmap sends per second. This can be useful for avoiding detection by intrusion detection systems (IDS) or for preventing network congestion, especially when scanning networks with limited bandwidth.

Let's perform a scan against a target IP address, limiting the maximum packet rate to 100 packets per second. For demonstration purposes, we'll use 192.168.1.1 as the target IP address. Please note that 192.168.1.1 is a placeholder. In a real-world scenario, you would replace this with the actual IP address of the target you are authorized to scan.

Open your Xfce terminal and execute the following command:

sudo nmap --max-rate 100 192.168.1.1

This command will initiate an Nmap scan against 192.168.1.1, limiting the maximum packet rate to 100 packets per second. You will see Nmap's output in the terminal, showing the progress of the scan.

Example output (the specific output will vary depending on the target and network):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00028s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds

Explanation:

• sudo nmap: Executes Nmap with superuser privileges, which may be required for certain scan types.
• --max-rate 100: Limits the sending rate to a maximum of 100 packets per second.
• 192.168.1.1: Specifies the target IP address.

Other Rate Limiting Options:

Nmap offers several other options for controlling the scanning rate:

• --min-rate <number>: Specifies the minimum number of packets per second to send.
• --scan-delay <time>: Adjust amount of time Nmap waits after each probe it sends.
• --min-rtt-timeout <time>, --max-rtt-timeout <time>, --initial-rtt-timeout <time>: Controls probe timeout values.

Important Considerations:

• Network Conditions: The optimal scanning rate depends on the network conditions. If the network is congested, a lower rate may be necessary to avoid packet loss.
• IDS/IPS Evasion: Adjusting the scanning rate can help to evade detection by intrusion detection/prevention systems.
• Scan Time: Lowering the scanning rate will increase the overall scan time.

Combine techniques with nmap -f --max-rate 50 127.0.0.1

In this step, we will combine packet fragmentation and rate limiting techniques to further refine our Nmap scans. Combining techniques can be useful for evading detection and optimizing scan performance.

We'll use the -f option to fragment packets and the --max-rate option to limit the sending rate. Packet fragmentation splits the TCP header over several packets to make it harder for packet filters and firewalls to detect the scan. Limiting the rate ensures that the scan doesn't overwhelm the network or trigger alarms.

Let's perform a scan against the loopback address (127.0.0.1), using packet fragmentation and limiting the maximum packet rate to 50 packets per second.

Open your Xfce terminal and execute the following command:

sudo nmap -f --max-rate 50 127.0.0.1

This command will initiate an Nmap scan against 127.0.0.1, fragmenting the packets and limiting the maximum packet rate to 50 packets per second. You will see Nmap's output in the terminal, showing the progress of the scan.

Example output (the specific output will vary depending on the target and network):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000070s latency).
Other addresses for localhost: ::1
Not shown: 999 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc

Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds

Explanation:

• sudo nmap: Executes Nmap with superuser privileges, which may be required for certain scan types.
• -f: Fragments the packets into smaller pieces.
• --max-rate 50: Limits the sending rate to a maximum of 50 packets per second.
• 127.0.0.1: Specifies the target IP address (loopback address).

Important Considerations:

• Fragmentation Overhead: Packet fragmentation can increase the overhead of the scan, as more packets need to be sent.
• Firewall Behavior: Some firewalls may reassemble fragmented packets before inspecting them, negating the effects of fragmentation.
• Rate Limiting Effectiveness: The effectiveness of rate limiting depends on the network conditions and the sensitivity of the target system.
• Combining Techniques: Combining different evasion techniques can increase the chances of bypassing security measures, but it also increases the complexity of the scan.

Verify evasion in Xfce terminal

In this step, we will discuss how to verify the effectiveness of the evasion techniques we've used in the previous steps. While we cannot definitively prove that our scans are completely undetectable, we can use various methods to assess the likelihood of evasion.

Methods for Verifying Evasion:

1. Network Monitoring: Use tools like tcpdump or Wireshark to capture network traffic and analyze the characteristics of the Nmap scans. Look for fragmented packets, decoy IP addresses, and rate-limited traffic. This requires a separate machine on the same network as the target. Since we are in a contained environment, this is not feasible.

2. IDS/IPS Logs: If you have access to the logs of an intrusion detection/prevention system (IDS/IPS), examine them for any alerts related to the Nmap scans. The absence of alerts doesn't guarantee evasion, but it's a positive sign. This also requires access to external systems which we do not have.

3. Target System Logs: Check the target system's logs for any evidence of the Nmap scans. This might include connection attempts to specific ports or unusual network activity. Again, this requires access to the target system.

4. Third-party Online Services: Some online services can analyze network traffic and identify potential security threats. You can submit a sample of the Nmap scan traffic to these services for analysis.

Limitations in the Lab Environment:

Due to the limitations of the LabEx VM environment (e.g., lack of a separate monitoring machine, no access to IDS/IPS or target system logs), we cannot perform a comprehensive verification of evasion. However, we can review the commands we executed and understand how they contribute to evasion.

Review of Evasion Techniques:

• Decoy Scan (nmap -D RND:5 192.168.1.1): This technique makes it appear as if the scan is originating from multiple IP addresses, including randomly generated ones. This can confuse network administrators and make it difficult to trace the scan back to the actual source.

• Packet Fragmentation (nmap -f 127.0.0.1): This technique splits the TCP header over several packets, making it harder for packet filters and firewalls to detect the scan.

• IP Spoofing (nmap -S 192.168.1.100 192.168.1.1): This technique hides your real IP address by using a different source IP address.

• Rate Limiting (nmap --max-rate 100 192.168.1.1): This technique slows down the scan, reducing the likelihood of triggering alarms or causing network congestion.

• Combined Techniques (nmap -f --max-rate 50 127.0.0.1): Combining fragmentation and rate limiting provides a multi-layered approach to evasion.

Conclusion:

While we cannot definitively verify evasion in the LabEx VM environment, understanding the principles behind these techniques and how they work is crucial for conducting stealthy and effective Nmap scans. In a real-world scenario, you would use the methods described above to assess the effectiveness of your evasion efforts.

This step is more about understanding the concepts and limitations rather than performing a specific action in the terminal. Therefore, the verification step will simply check that you have accessed this step in the lab.

Summary

In this lab, participants learn how to evade firewalls and IDS using Nmap. They explore various techniques, including running a decoy scan with nmap -D RND:5, fragmenting packets with nmap -f, spoofing IP addresses with nmap -S, adjusting the scan rate with nmap --max-rate, and combining these techniques. Each command is executed in the Xfce terminal, and participants are reminded of the importance of ethical use, network impact, and the limitations of these evasion methods.