How can the nmap tool be used to evade a firewall/IDS?

There are various ways that comes handy with nmap to evade the basic rules of firewall or Intrusion detection system.

1) Packet Fragmentation:

  • This option evade pattern matching detection technique. Since packet reassembly can be quite processor intensive, it's common for admin to disable it.

  • In snort, fragmentation reassembly functionality is disabled by default.

  • Usage: #nmap -f <other options>

2) Decoy Scan:

  • We can add some random hosts either from the attacker's subnet or from victim's subnet while scanning the target.

  • In firewall logs, there will be multiple hosts along with the attacker's IP making it difficult to trace the attacker.

  • Usage: #nmap -D <ip1, ip2,...,ME> <other options>

3) Spoof source IP address:

  • Attacker can spoof the source IP address (from the victim's subnet) so that it'll appear to IDS/firewall that it's legitimate user and will be passed.
  • Usage:#nmap -S <spoofed ip> <other optins>

4) Spoof source port:

  • Attacker can spoof the source port no. while scanning the target to bypass the rules in the firewall that allow requests from few ports (ex. Port 53).
  • Usage: #nmap --source-port <port no> <other options>

5) Scanning Timing:

  • There are various timing options included in the nmap to send successive packets. It can be used to evade some of the rules in the firewalls or IDS.

    T0: Paranoid (Waits 5 minutes between sending each probes, not detected by IDS/IPS)

    T1: Sneaky (waits 15 seconds)

    T2:Polite

    T3:Normal

    T4:Aggressive

    T5:Insane (easily detectable)

    -Usage: #nmap -T<0-5> <other options>

There are other options like Data-length appending and Badsum which can also be used. IDLE Scan is the best that I'll suggest for evading the firewall. Although, all the methods mentioned above claim to evade the firewall/IDS, but if rules are set properly your scan can still be detected.


Nmap has several useful options which can help you evade a firewall/IDS. The effectiveness of these options will depend upon what you are up against, i.e. the system(s) and how they are configured. A properly configured, modern firewall will hinder your scans very effectively.

A good breakdown of the nmap options you can use can be found here. Generally speaking you're trying to change the traffic sent by Nmap in a way which causes the firewall/IDS you're up against to miss it.

Edit

A note on decoys (as requested in comment below). The Nmap -D option allows you to specify a list of decoy IP addresses, for example (192.168.1.1 as the target):

nmap -D 192.168.1.2,192.168.1.3,192.168.1.4 192.168.1.1

There's also the ability to generate some random ip's as decoys:

nmap -D RND:5 192.168.1.1

Note that there's several caveats with using -D; such as the risk of SYN flooding your target, ISPs not forwarding spoofed packets, and only being available using specific Nmap scans. Hope that helps!