Firewall/IDS Evasion

Proxies

Rotating Proxy Service

• There are a lot services out there that will sell you rotating proxies (Google "rotating proxies").

• The way it works is that you get an single IP addresses to connect through, and that IP connects out to the Internet using any number of randomly rotating proxies.

nmap -sX -proxy http://1.1.1.1:1080 -iL targetlist.txt

Proxychains

proxychains nmap -v -T4 -sX 1.2.3.4

• You can use TOR Nodes.

• You have multiple ways to configure your proxy connection with proxychains.

Decoy Scan (Noisy)

• Spoof addresses in the network

nmap -D RND:10 -sS <domain>

Fragmented packets

nmap -f -sX -Pn -v <domain>
nmap -sX -v --mtu 32 <domain> # similar to -f, sends limited amount of data during transmition

Badchecksums

• The TCP/IP Protocol uses "checksums" to ensure data integrity.

• By crafting packets with incorrect checksum information, we might be able to trick the target host into sending a response.

nmap -sX -T4 --badsum <IP>

Changing data length

• If you are going to experiment with this, try scanning a single port that you know is open 80 or 443 and play with it.

nmap -sS --data-length 300 scanme.nmap.org

Styling Nmap Results

• https://github.com/honze-net/nmap-bootstrap-xsl - Nmap Stylesheet repository

nmap -sS -T4 -A -sC -oA scanme --stylesheet https://raw.githubusercontent.com/honze-net/nmap-bootstrap-xsl/master/nmap-bootstrap.xsl scanme.nmap.org scanme2.nmap.org