Intro
Today, firewalls are an essential part of almost every IT infrastructure and are being deployed in a myriad of shapes and forms. They usually focus on layers 3 and 4 of the OSI Model (occasionally layer 2). Next-generation Firewalls (NGFW) can also cover layers 5, 6, and 7. With more layers covered, we gain more control, but also spend more computing power.
Thus, for the third part of our series we will explore a few scenarios showing how we can leverage Nmap’s options to assess and evade the firewalls we encounter.
There’s ways beyond firewalls in Nmap of course, and we’ve talked about some features, but for our purposes here, let’s just focus on firewalls for a bit.
Evasion Tactics:
Evasion via source spoofing
- Decoy
- Proxy
- Spoofed IP Address
- Spoofed MAC Address
- Fixed Source Port Number
Firewalls are there to detect and block our scan, so we need to employ many different tactics, in order to circumvent them. Luckily, Nmap has us covered there too. There are different approaches, but we will focus on evasion via control of the source IP or MAC address or the source port. However, other possible tactics could include evasion via fragmentation (MTU, and data length), or evasion by modifying the header fields.
For this article, we will only look into the source spoofing tactics. However, at the end of the article, we will give a brief 1-sentence overview of the other two mentioned tactics, and what they’re trying to achieve.
Evasion via source spoofing
We have identified our host, and we kick off our scan with the following command:
nmap -sS -Pn -F <IP_address>
We’re telling Nmap to do a stealth (SYN) scan – the -sS option; while -Pn forces Nmap to continue our scan in case of no ping replies. To speed up our scan, we have specified the -F option, which will tell Nmap to go for the 100 most common ports. We ran a Wireshark session on the same system as Nmap. (image below)
Our IP address (10.10.2.15) has sent out ~200 packets. The source port was randomly chosen – from the image above we can see that it’s port 61406. Our IP packet is 44 bytes. Time to Live (TTL) is 42. And, finally, no errors are introduced in the checksum.
Decoy
To hide our scans, we can use decoys. When we do so, they mix your IP address with other decoy IP’s. This can make it hard for the firewall and the target host to figure out the source of the port scan. We use the option -D, by adding our decoy source IP. It looks something like this:
nmap -sS -Pn -D 10.10.10.1, 10.10.10.2, ME – F 10.10.78.73
Our target host (10.10.78.73) will see the scans coming from two IP addresses (10.10.10.1 and 10.10.10.2), even though one source IP (ME) is actually running the scan. Wireshark capture is shown in the picture below.
Also, you don’t need to specify decoy addresses, you can also use random source IP addresses (RND), by running, for example:
nmap -sS -Pn -D RND,RND,ME -F 10.10.78.73
Every time we run this command, Nmap will choose a random IP address to be the decoy.
Proxy
The idea here is simple – relay the port scan using a proxy, so that your IP address remains hidden to your target. With this technique, the target will log the IP address of the proxy server, and not your own, which is great – and, depending on your need, essential.
Generally, you would use the --proxies option, specifying --proxies Proxy_Url,for example:
nmap -sS -Pn --proxies Proxy_Url -F 10.10.78.73
Spoofed IP Address
With -S <IP_Address> option, Nmap will let you spoof your IP address. Please, note that this is only useful when you’re on the same subnet as your target, because if you’re not, the replies from your target will be unreadable.
There are a few reasons why you would want to do this. For example, it can help you remain undetected, while it can also be a tool for exploiting the network IP address based trust connections.
Moreover, if you have access on the machine that has the said IP address, you can always, if your target starts blocking the spoofed IP, change to a second IP address belonging to the system that’s also in your control.
Spoofed MAC Address
Similar to spoofing your IP address, Nmap lets you spoof your MAC address using --spoof-mac <Mac_Address>. This will only work if your machine is on the same network segment as your target. If not, similar to IP spoofing, you will not be able to capture or read the responses. This technique allows you to exploit trust relationships between systems that depend on the MAC addresses. With this, you can also hide your scanning activities by making your scans appear to be coming from a network joined device for example – (printer, IoT device, etc.)
Fixed Source Port Number
This one is useful if you’ve just found out that the firewall allows incoming packets from a specific port, for example port 80, or port 443. We set the fixed port number by using either -g or --source-port option. In the example below, we used the following Nmap command to scan with the fixed port number 8080 (TCP). You can notice that all the TCP connections came from the said port number.
Evasion using Forced Fragmentation, Data Length, and MTU
Control the packet size by fragmenting packets or by sending packets with specific data lengths. If a IDS/IPS never reassembles the packet, it is highly likely it will let it through – and the target machine will reassemble and process the packet.
To fragment your packet with 8 bytes, use the -f option. (example: nmap -sS -Pn -f -F <IP_Address>)
To fragment your packet with 16 bytes, use the -ff option (example: nmap -sS -Pn -ff -F <IP_Address>)
Running Nmap with --mtu <value> will set a number of bytes per one IP packet. (Meaning, the size of the IP header is not included. Note that the value set for an MTU is always a multiple of 8)
Finally, if you’ve realized that an IPS/IDS is triggered by a specific size of the packets you’re sending, you can try to be more evasive by specifying an explicit length. You can do this by using --data-length <value> option. (Note that the length should be multiple of 8, too)
So, if you’ve said nmap -sS --data-length 128 -F <IP_Address>, every TCP segment will be lined with arbitrary/random bits of data, until its length is 128 bytes.
Table 1. - Nmap Commands
Evasion Technique |
Nmap Command/Option |
Decoy scan |
-D Decoy1_IP,Decoy2_IP,ME |
Random decoys |
-D RND,RND,RND,ME |
Spoof source IP Address |
-S <IP_Address> |
Spoof source MAC Address |
--spoof-mac MAC_Address |
Fixed source port number |
-g Port_nr or --source-port Port_nr |
HTTP/SOCKS4 Proxy |
--proxies Proxy_Url |
Fragment IP data – 8 bytes |
-f |
Fragment IP data – 16 bytes |
-ff |
Specific packet length |
--data-length <Number> |
MTU fragmented packets |
--mtu <Value> |
Conclusion
We went over some interesting techniques and features of Nmap and its behavior and interaction with target firewalls. Of course, as you might’ve already imagined, there’s a lot more info on this, but since we’re limited in our presentations here, we hope that this higher level overview will still be of some use to you. For more great info and resources on Nmap, I wholeheartedly recommend the official Nmap website, as it is one of the best, if not THE best resource on Nmap out there. (It will also lead you to many other great resources, hopefully.)