![]() If a IDS/IPS never reassembles the packet, it is highly likely it will let it through – and the target machine will reassemble and process the packet. You can notice that all the TCP connections came from the said port number.Įvasion using Forced Fragmentation, Data Length, and MTUĬontrol the packet size by fragmenting packets or by sending packets with specific data lengths. In the example below, we used the following Nmap command to scan with the fixed port number 8080 (TCP). We set the fixed port number by using either -g or -source-port option. This one is useful if you’ve just found out that the firewall allows incoming packets from a specific port, for example port 80, or port 443. ![]() With this, you can also hide your scanning activities by making your scans appear to be coming from a network joined device for example – (printer, IoT device, etc.) Fixed Source Port Number This technique allows you to exploit trust relationships between systems that depend on the MAC addresses. If not, similar to IP spoofing, you will not be able to capture or read the responses. This will only work if your machine is on the same network segment as your target. Similar to spoofing your IP address, Nmap lets you spoof your MAC address using -spoof-mac. Moreover, if you have access on the machine that has the said IP address, you can always, if your target starts blocking the spoofed IP, change to a second IP address belonging to the system that’s also in your control. For example, it can help you remain undetected, while it can also be a tool for exploiting the network IP address based trust connections. There are a few reasons why you would want to do this. Please, note that this is only useful when you’re on the same subnet as your target, because if you’re not, the replies from your target will be unreadable. With -S option, Nmap will let you spoof your IP address. Nmap -sS -Pn -proxies Proxy_Url -F 10.10.78.73 Spoofed IP Address Generally, you would use the -proxies option, specifying -proxies Proxy_Url,for example: With this technique, the target will log the IP address of the proxy server, and not your own, which is great – and, depending on your need, essential. The idea here is simple – relay the port scan using a proxy, so that your IP address remains hidden to your target. Nmap -sS -Pn -D RND,RND,ME -F 10.10.78.73Įvery time we run this command, Nmap will choose a random IP address to be the decoy. Wireshark capture is shown in the picture below.Īlso, you don’t need to specify decoy addresses, you can also use random source IP addresses (RND), by running, for example: Our target host (10.10.78.73) will see the scans coming from two IP addresses (10.10.10.1 and 10.10.10.2), even though one source IP (ME) is actually running the scan. We use the option -D, by adding our decoy source IP. This can make it hard for the firewall and the target host to figure out the source of the port scan. When we do so, they mix your IP address with other decoy IP’s. And, finally, no errors are introduced in the checksum. The source port was randomly chosen – from the image above we can see that it’s port 61406. ![]() Our IP address (10.10.2.15) has sent out ~200 packets. We ran a Wireshark session on the same system as Nmap. To speed up our scan, we have specified the -F option, which will tell Nmap to go for the 100 most common ports. We’re telling Nmap to do a stealth (SYN) scan – the -sS option while -Pn forces Nmap to continue our scan in case of no ping replies. We have identified our host, and we kick off our scan with the following command: However, at the end of the article, we will give a brief 1-sentence overview of the other two mentioned tactics, and what they’re trying to achieve. However, other possible tactics could include evasion via fragmentation (MTU, and data length), or evasion by modifying the header fields.įor this article, we will only look into the source spoofing tactics. There are different approaches, but we will focus on evasion via control of the source IP or MAC address or the source port. Evasion Tactics: Evasion via source spoofingįirewalls are there to detect and block our scan, so we need to employ many different tactics, in order to circumvent them. There’s ways beyond firewalls in Nmap of course, and we’ve talked about some features, but for our purposes here, let’s just focus on firewalls for a bit. Thus, for the third part of our series we will explore a few scenarios showing how we can leverage Nmap’s options to assess and evade the firewalls we encounter. With more layers covered, we gain more control, but also spend more computing power. Next-generation Firewalls (NGFW) can also cover layers 5, 6, and 7. They usually focus on layers 3 and 4 of the OSI Model (occasionally layer 2). Today, firewalls are an essential part of almost every IT infrastructure and are being deployed in a myriad of shapes and forms.
0 Comments
Leave a Reply. |