Use Nmap to Detect and Bypass Firewall Restrictions

Introduction

In this lab, you will learn how to use Nmap to detect and bypass firewall restrictions in the realm of network security. Firewalls are vital security elements that filter network traffic according to predefined rules. As a security professional, it's crucial to understand how to evade firewalls for comprehensive security assessments and vulnerability identification.

We'll explore diverse firewall evasion techniques with Nmap, a potent network scanning tool. These techniques enable security experts to test network defenses by mimicking potential attackers' attempts to bypass security measures. By the end of this lab, you'll gain hands - on experience with Nmap's firewall evasion features and understand their applications in network security.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/installation("Installation and Setup") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/firewall_evasion("Firewall Evasion Techniques") subgraph Lab Skills nmap/installation -.-> lab-415921{{"Use Nmap to Detect and Bypass Firewall Restrictions"}} nmap/save_output -.-> lab-415921{{"Use Nmap to Detect and Bypass Firewall Restrictions"}} nmap/port_scanning -.-> lab-415921{{"Use Nmap to Detect and Bypass Firewall Restrictions"}} nmap/target_specification -.-> lab-415921{{"Use Nmap to Detect and Bypass Firewall Restrictions"}} nmap/firewall_evasion -.-> lab-415921{{"Use Nmap to Detect and Bypass Firewall Restrictions"}} end

Setting Up a Local Service for Scanning

Before we can start practicing Nmap scanning techniques, it's essential to have a target service to scan. Think of it like having a target in a shooting range. In this step, we'll create a simple HTTP server on our local machine. This server will act as the target for all our scanning exercises.

First, we need to open a terminal. A terminal is like a command - center where we can give instructions to our computer. Once the terminal is open, we'll create a directory structure for our HTTP service. A directory is similar to a folder on your computer, and it helps us organize our files.

mkdir -p /home/labex/project/http_service

The mkdir command stands for "make directory". The -p option ensures that if any intermediate directories in the path don't exist, they will be created. So, this command creates a directory named http_service inside the /home/labex/project path.

Next, we need to navigate to the newly created directory. Just like you would open a folder on your computer to access its contents, we use the cd command to move into the directory.

cd /home/labex/project/http_service

Now, we'll create a simple HTML file. HTML is the language used to create web pages. Our HTTP server will serve this HTML file to anyone who requests it.

echo "<html><body><h1>Welcome to the StarPath Exploration Server</h1></body></html>" > index.html

The echo command prints the text inside the quotes. The > symbol redirects that output into a file named index.html. So, this command creates a file named index.html with the specified basic HTML content.

To make sure the file was created correctly, we can view its contents. We use the cat command for this purpose.

cat index.html

The cat command reads the contents of a file and displays them on the terminal. You should see the HTML content we just created:

<html><body><h1>Welcome to the StarPath Exploration Server</h1></body></html>

Now, it's time to start a simple HTTP server. We'll use Python's built - in http.server module. Python is a programming language, and this module allows us to quickly set up a web server.

python3 -m http.server 8000

The -m option in Python is used to run a module as a script. Here, we're running the http.server module and telling it to listen on port 8000. A port is like a door through which data enters and leaves a computer.

After running this command, you should see output similar to:

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

This output indicates that the HTTP server is running and is waiting for connections on port 8000. It's important to leave this terminal window open because if you close it, the server will stop running.

You've successfully set up a local service. In the following steps, we'll use this service as a target for our Nmap scanning exercises.

Basic Nmap Scan with Host Discovery Bypass

In this step, we're going to perform our very first Nmap scan. But before we start, let's understand a key concept. Many firewalls are configured to block ICMP echo requests, which are commonly known as "ping". Nmap usually uses these ping requests to check if a host is online before it starts scanning the ports. However, by bypassing this host discovery phase, we can still scan the targets even when the ICMP traffic is blocked by the firewall.

First, make sure you keep the HTTP server running in the previous terminal. Then, open a new terminal window. In this new terminal, we need to navigate to the project directory. The project directory is where all our relevant files and configurations for this experiment are stored. To do this, we'll use the cd command, which stands for "change directory". Here's the command:

cd /home/labex/project

Now that we're in the right directory, it's time to run a basic Nmap scan against our local HTTP server. We'll use the -Pn option in the Nmap command. This option tells Nmap to skip the host discovery step and assume that the target is online. Here's the command:

nmap -Pn --reason -p 8000 localhost

Let's break down the command options to understand what each one does:

-Pn: This option skips the host discovery process. Instead of checking if the target is online using ping, Nmap will directly assume that the target is online and start scanning the ports.
--reason: This option makes Nmap show the reason why a port is in a particular state. For example, if a port is open, it will tell us why it's considered open.
-p 8000: This option tells Nmap to scan only port 8000. We're interested in this specific port because our local HTTP server is running on it.
localhost: This is the target we want to scan. In this case, localhost refers to our local machine.

After running the command, you should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-05 15:30 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up, received localhost-response (0.000097s latency).

PORT     STATE SERVICE      REASON
8000/tcp open  http-alt     syn-ack

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

The output shows that port 8000 is open and running an HTTP service. The "REASON" column says "syn-ack", which means that when Nmap tried to connect to the port, the port responded with a SYN-ACK packet. This is a standard way for a server to accept a connection request in the TCP protocol.

Next, we want to save the scan results to a file. Saving the results is useful because it allows us to analyze them later, share them with others, or compare them with future scans. To save the results, we'll use the > symbol, which redirects the output of the Nmap command to a file. Here's the command:

nmap -Pn --reason -p 8000 localhost > /home/labex/project/nmap_scan.txt

Finally, let's check the saved scan results. We'll use the cat command, which stands for "concatenate". This command reads the contents of a file and displays them in the terminal. Here's the command:

cat /home/labex/project/nmap_scan.txt

You should see the same scan results that were previously displayed in the terminal.

This basic scan shows us how the -Pn option can be used to bypass firewall rules that block ping probes. In a real-world situation, this technique can be very useful when you need to scan hosts that are protected by firewalls that block ICMP traffic.

Advanced Firewall Evasion with Packet Fragmentation

In this step, we're going to explore a more advanced firewall evasion technique called packet fragmentation. Before we dive in, let's understand what packet fragmentation is. When data is sent over a network, it's divided into smaller units called packets. Some firewalls and Intrusion Detection Systems (IDS) are designed to inspect these packets for any signs of malicious activity. However, these security systems can have difficulty processing fragmented packets, which are packets that have been broken down into even smaller pieces. This difficulty can create an opportunity for us to bypass certain security measures during our scans.

We'll continue using our local HTTP server as the target for our scan. First, we need to navigate to the appropriate directory in the terminal where we performed our previous scan. This directory is where our project files are located, and it's important to be in this directory so that our commands work correctly. To do this, we'll run the following command:

cd /home/labex/project

Now that we're in the right directory, we're ready to run a scan using Nmap's fragmentation option. This option will break the IP packets into smaller fragments, making it harder for packet filters to detect our scan. Here's the command we'll use:

sudo nmap -f -Pn --reason -p 8000 localhost

Let's break down the additional option -f in this command. The -f option tells Nmap to fragment the IP packets. By doing this, we're making it more challenging for packet filters to analyze the packets and detect that we're performing a scan.

After running the command, you should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-18 16:46 CST
Nmap scan report for localhost (127.0.0.1)
Host is up, received user-set (0.000062s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE  REASON
8000/tcp open  http-alt syn-ack ttl 64

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

This output shows us the results of our scan. It tells us that the host (localhost) is up and that port 8000 is open.

Next, we want to save these results to a separate file. This way, we can refer back to them later and compare them with other scan results. To save the results, we'll run the following command:

sudo nmap -f -Pn --reason -p 8000 localhost > /home/labex/project/nmap_frag_scan.txt

The > symbol in this command redirects the output of the Nmap scan to the specified file.

Now, let's check the contents of this file to make sure the results were saved correctly. We'll use the cat command, which is used to display the contents of a file:

cat /home/labex/project/nmap_frag_scan.txt

The scan results might look similar to our previous scan, but the underlying technique is different. In this case, Nmap fragmented the IP packets into smaller pieces, which makes it harder for stateless packet filters to detect the scan.

Let's compare the two scan methods we've used so far: the regular scan and the fragmented scan. We'll create a new file to store this comparison. Here are the commands to do that:

echo "Comparing regular scan vs. fragmented scan:" > /home/labex/project/scan_comparison.txt
echo "---------------------------------------------" >> /home/labex/project/scan_comparison.txt
echo "" >> /home/labex/project/scan_comparison.txt
echo "1. Regular scan with -Pn:" >> /home/labex/project/scan_comparison.txt
cat /home/labex/project/nmap_scan.txt >> /home/labex/project/scan_comparison.txt
echo "" >> /home/labex/project/scan_comparison.txt
echo "2. Fragmented scan with -f -Pn:" >> /home/labex/project/scan_comparison.txt
cat /home/labex/project/nmap_frag_scan.txt >> /home/labex/project/scan_comparison.txt

These commands first write a header to the comparison file, then add the results of the regular scan and the fragmented scan to the file.

Now, let's examine our comparison by displaying the contents of the comparison file:

cat /home/labex/project/scan_comparison.txt

In our controlled environment, the results of the two scans might look similar. However, in real-world scenarios, these different techniques can have varying levels of success against different firewall configurations. Packet fragmentation (-f) is particularly effective against stateless packet filters. Stateless packet filters examine each packet independently and often cannot reassemble the fragments to inspect the complete packet, which gives our fragmented scan a better chance of bypassing these filters.

For even more fragmentation, Nmap allows you to increase the level by using multiple -f flags (e.g., -ff) or by specifying a custom Maximum Transmission Unit (MTU) size with the --mtu option. The MTU is the largest size of a packet that can be transmitted over a network. By specifying a custom MTU, you can control how the packets are fragmented.

This technique demonstrates how packet fragmentation can be used as an additional method to evade firewall detection when conducting security assessments.

Summary

In this lab, you have learned how to identify and bypass firewall restrictions using Nmap's firewall evasion techniques. First, you set up a local HTTP server as a target for scanning, creating a safe environment to practice different scanning methods without impacting external systems. Then, you performed a basic Nmap scan with the -Pn option to bypass host discovery, which is useful when firewalls block ICMP echo requests. This allowed you to scan ports that might be hidden behind firewall rules.

Next, you explored an advanced evasion technique: packet fragmentation using the -f option. This method fragments IP packets, making it harder for stateless packet filters to detect and block the scan. By comparing the results of both techniques, you understood their differences and applications. These techniques are essential for security professionals to conduct thorough security assessments. However, remember to use them only in authorized assessments with proper permissions to avoid violating laws and policies.