LabEx
Log InJoin For Free

Evade Firewalls in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn advanced Nmap techniques to bypass firewall protections in real-world cybersecurity scenarios. You'll practice evasion methods like fragmented scanning and decoy IP spoofing while working with iptables-configured firewalls.

The hands-on exercises will guide you through Nmap installation, firewall rule configuration, and result analysis. You'll gain practical experience in assessing and circumventing network security measures through controlled scanning experiments.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/installation("Installation and Setup") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/timing_performance("Timing and Performance") nmap/NmapGroup -.-> nmap/syn_scan("SYN Scan") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") nmap/NmapGroup -.-> nmap/firewall_evasion("Firewall Evasion Techniques") nmap/NmapGroup -.-> nmap/stealth_scanning("Stealth and Covert Scanning") subgraph Lab Skills nmap/installation -.-> lab-549937{{"Evade Firewalls in Nmap"}} nmap/port_scanning -.-> lab-549937{{"Evade Firewalls in Nmap"}} nmap/target_specification -.-> lab-549937{{"Evade Firewalls in Nmap"}} nmap/timing_performance -.-> lab-549937{{"Evade Firewalls in Nmap"}} nmap/syn_scan -.-> lab-549937{{"Evade Firewalls in Nmap"}} nmap/service_detection -.-> lab-549937{{"Evade Firewalls in Nmap"}} nmap/firewall_evasion -.-> lab-549937{{"Evade Firewalls in Nmap"}} nmap/stealth_scanning -.-> lab-549937{{"Evade Firewalls in Nmap"}} end

Install Nmap

In this step, you will install Nmap, a powerful network scanning tool used for security auditing and network exploration. Nmap helps identify hosts and services on a network by sending packets and analyzing responses. Think of it like a digital mapmaker that discovers what devices are connected to a network and what services they're running.

The LabEx VM environment already has the necessary dependencies installed, making the installation process straightforward. Follow these steps to install Nmap:

  1. Open the terminal in your LabEx VM (you can use the Xfce terminal or right-click on the desktop and select "Open Terminal"). The terminal is where you'll enter all commands for this lab.

  2. First, update the package list to ensure you get the latest version. This is like refreshing an app store before downloading new software:

    sudo apt update

  3. Install Nmap using the following command. The -y flag automatically confirms any prompts during installation:

    sudo apt install -y nmap

  4. After installation completes, verify Nmap is installed correctly by checking its version. This confirms the installation was successful:

    nmap --version

    You should see output similar to:

    Nmap version 7.92 ( https://nmap.org )

  5. For additional verification, run a simple scan against localhost (your own machine). This helps you understand how Nmap works before scanning other targets:

    nmap -sV 127.0.0.1

    This command scans your local machine (127.0.0.1) and shows open ports (-sV flag detects service versions). You'll see a list of services running on your machine, which is useful for understanding Nmap's output format.

Prepare a Firewalled Target

In this step, you will configure a simple firewall using iptables to create a protected target environment for your Nmap scanning tests. Firewalls act as security barriers that control network traffic, and understanding how to scan through them is essential for network security professionals. This setup will simulate a real-world scenario where network scanning needs to bypass firewall protections.

  1. First, let's verify that iptables is available on your system. iptables is a user-space utility program that allows administrators to configure firewall rules in Linux. It should be pre-installed in the LabEx VM:

    sudo iptables --version

  2. Before creating new rules, it's good practice to clear any existing firewall rules. This ensures we start with a clean slate and avoid conflicts with previous configurations:

    sudo iptables -F
sudo iptables -X

  3. Now we'll set default policies. The default policy determines what happens to packets that don't match any specific rules. We'll DROP all incoming and forwarded traffic while allowing outgoing connections:

    sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

  4. Even with strict firewall rules, we need to allow localhost (lo) communication. Many system services rely on internal communication, so this exception is necessary:

    sudo iptables -A INPUT -i lo -j ACCEPT

  5. Let's create specific rules to simulate a protected web server. These rules will allow incoming traffic only on standard ports for SSH (22), HTTP (80), and HTTPS (443), mimicking a typical production server configuration:

    sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT  ## SSH
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT  ## HTTP
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT ## HTTPS

  6. After configuring the rules, it's important to verify them. The -L flag lists all rules, -n shows numeric output (faster and avoids DNS lookups), and -v provides verbose information:

    sudo iptables -L -n -v

    You should see output showing your configured rules with the default DROP policy for unmatched traffic.

  7. Finally, we'll save the rules to make them persistent. This step is particularly important in our LabEx environment since we can't use systemctl in Docker to maintain rules across reboots:

    sudo sh -c "iptables-save > /etc/iptables.rules"

Run a Fragmented Scan

In this step, you will learn how to perform a fragmented scan using Nmap to bypass basic firewall protections. Firewalls often inspect complete network packets, but fragmentation splits packets into smaller pieces, making them harder to detect by simple firewall rules that don't reassemble fragments.

  1. First, verify the firewall rules from the previous step are still active. This helps establish a baseline before testing evasion techniques:

    sudo iptables -L -n -v

  2. Perform a standard Nmap SYN scan against localhost to see how the firewall responds without any evasion techniques. This will show us which ports are being actively blocked:

    nmap -sS 127.0.0.1

    Note which ports are shown as filtered or closed - these are the ones the firewall is protecting.

  3. Now run a fragmented scan using the -f option. This tells Nmap to split the TCP headers into multiple smaller packets (8-byte fragments):

    nmap -f -sS 127.0.0.1

    Some firewalls may not properly reassemble these fragments, allowing the scan to pass through.

  4. For more aggressive fragmentation, use smaller packet sizes with the --mtu option. This sets the Maximum Transmission Unit to 16 bytes, creating even smaller fragments:

    nmap --mtu 16 -sS 127.0.0.1

    Smaller fragments may bypass more primitive firewall implementations.

  5. Combine fragmentation with timing control for additional stealth. The -T2 option makes the scan slower and less likely to trigger intrusion detection systems:

    nmap -f -T2 -sS 127.0.0.1

    This approach mimics more normal network traffic patterns.

  6. Compare the results of different scan types to evaluate the effectiveness of fragmentation:

    nmap -sS 127.0.0.1 | grep filtered
nmap -f -sS 127.0.0.1 | grep filtered

    Notice any differences in the number of filtered ports - fewer filtered ports indicate successful firewall evasion.

Add Decoy IPs

In this step, you will learn how to use Nmap's decoy scanning technique to mask your real IP address among multiple fake source addresses. This helps evade detection by making it harder to identify the actual scanning machine. When security systems see traffic coming from multiple IPs, they can't easily determine which one is the real scanner.

  1. First, verify your current IP address to understand what we're hiding. This establishes a baseline so you can see how decoy IPs will obscure your real address:

    ip a

    Note your actual IP address (typically starting with 172 or 192). This is the address we'll be hiding among the decoys.

  2. Perform a basic scan with decoy IPs using the -D option. Here we specify three fake IPs and include our real IP with the ME placeholder:

    sudo nmap -D 192.168.1.1,192.168.1.2,192.168.1.3,ME 127.0.0.1

    The ME placeholder represents your real IP address, which will be mixed in with the decoys.

  3. For more realistic decoys, use random IP addresses. This is often better than using predictable IP patterns:

    sudo nmap -D RND:5 127.0.0.1

    This generates 5 random decoy IP addresses that appear more natural to monitoring systems.

  4. Combine decoys with previous evasion techniques like fragmentation (-f) and timing control (-T2):

    sudo nmap -D 10.0.0.1,10.0.0.2,10.0.0.3 -f -T2 127.0.0.1

    Layering multiple evasion methods makes detection even harder.

  5. Verify the decoy effect by checking firewall logs (simulated). This shows how the firewall would see multiple source IPs:

    sudo iptables -L -n -v | grep -E "192.168|10.0"

    You should see entries for all the decoy IPs we used in our scans.

  6. For advanced usage, specify decoy networks. This creates a range of decoy addresses from the same network:

    sudo nmap -D 192.168.1.1-10 127.0.0.1

    This generates 10 sequential decoy IPs from the 192.168.1.0 network.

Check Evasion Success

In this final step, you will evaluate the effectiveness of your scanning evasion techniques by analyzing firewall logs and comparing scan results from different methods. This helps you understand which techniques successfully bypassed firewall detection and which were flagged as suspicious activity.

  1. First, check the current firewall logs to see detected scanning attempts. This gives you a baseline of what normal firewall activity looks like before testing evasion methods:

    sudo iptables -L -n -v | grep -E "DROP|REJECT"

    This command shows how many packets were blocked by your firewall rules, with the counters indicating detection attempts.

  2. Now create two scan reports for comparison - one using basic scanning and another with evasion techniques. The difference between these will show the effectiveness of your evasion:

    nmap -sS 127.0.0.1 -oN basic_scan.txt
nmap -f -D RND:3 127.0.0.1 -oN evasion_scan.txt

    The first command performs a standard SYN scan, while the second uses fragmentation (-f) and decoy IPs (-D RND:3).

  3. Analyze the differences between scan results to see which ports were filtered in each case:

    diff basic_scan.txt evasion_scan.txt

    Pay special attention to the number of "filtered" ports in each report - fewer filtered ports in the evasion scan indicates successful bypass.

  4. To specifically check for successful evasion, reset firewall counters and run an evasion scan while monitoring detection:

    sudo iptables -Z && sudo nmap -f -D RND:3 127.0.0.1 && sudo iptables -L -n -v

    The counter values show how many packets were detected by the firewall during your evasion attempt.

  5. For comprehensive testing, combine multiple evasion techniques to maximize your chances of bypassing security:

    sudo nmap -f -D RND:5 -T2 --data-length 24 127.0.0.1 -oN final_scan.txt

    This uses fragmentation, 5 decoy IPs, slower timing (-T2), and random data padding (--data-length 24).

  6. Finally, generate a summary report comparing filtered ports between basic and evasion scans:

    echo "Basic scan filtered ports:" && grep filtered basic_scan.txt | wc -l
echo "Evasion scan filtered ports:" && grep filtered evasion_scan.txt | wc -l

    A significant reduction in filtered ports between the two scans demonstrates successful firewall evasion.

Summary

In this lab, you have learned essential Nmap firewall evasion techniques for cybersecurity assessments. The exercises guided you through Nmap installation, basic scanning, and creating a controlled test environment using iptables to simulate protected networks.

You practiced two primary evasion methods: packet fragmentation to bypass detection systems and decoy IP addresses to obscure scan origins. These skills enable you to evaluate network defenses by replicating real-world attack patterns while maintaining ethical testing standards.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner