Nmap: Firewall Evasion and Practical lab.

-

Firewall Evasion Overvie

        Many firewalls block ICMP (Internet Control Message Protocol) packets by default, including the echo request and reply packets used for pinging. This can prevent Nmap from accurately determining the status of a target host since Nmap relies on ICMP to check if a host is alive. To bypass the ICMP block and treat a target host as alive regardless of whether it responds to ICMP requests or not, you can use the "-Pn" option with Nmap. This option instructs Nmap to skip the initial ping scan and proceed with the port scan, effectively treating all specified targets as live. When conducting scans on a local network, Nmap can use ARP (Address Resolution Protocol) requests to determine host activity. This can be a more accurate method compared to ICMP, especially within a LAN.

Furthermore, Nmap offers various options for evading firewalls, such as:

  1. "-f": This option breaks packets into smaller fragments, reducing the likelihood of firewall or intrusion detection system (IDS) detection.

  2. "--mtu <number>": Enables you to specify the maximum transmission unit size for packets, giving you greater control over packet size.

  3. "--scan-delay <time>ms": Introduces delays between sent packets, useful for stabilizing scans on unreliable networks and evading firewall or IDS triggers that depend on timing.

  4. "--badsum": Generates packets with intentionally invalid checksums. While a genuine TCP/IP stack would reject such packets, firewalls might respond automatically without verifying the checksum, potentially revealing the presence of a firewall or IDS.
Additional considerations and tips 
when it comes to firewall evasion techniques using Nmap:
  • Maintain thorough documentation of your scanning activities, including the purpose, scope, and results of your scans. Properly report any vulnerabilities or findings to the appropriate stakeholders.

  • When using techniques like "--scan-delay," be mindful of network stability. Excessive delays or high scan rates can disrupt network services and may draw attention to your activities.

  • In addition to the mentioned techniques, consider using Nmap's various scan types, such as "Stealth scans" (e.g., SYN, FIN, Xmas scans), which are designed to minimize the footprint of your scans and evade some types of firewall and IDS detection.

  • In more complex scenarios, you can route your Nmap scans through proxy chains or VPNs to further anonymize your scans and make it harder for defenders to trace the source of the scans.

  • Keep your Nmap tool up to date with the latest version and scripts. The Nmap team frequently releases updates and new scripts to enhance its capabilities and adapt to evolving security challenges.

  • It's a good practice to perform scanning and firewall evasion testing in a controlled lab environment or a network that you have permission to test on. Avoid scanning production systems without proper authorization and precautions.

  • Before conducting scans, gather information about the target network's topology, potential firewall configurations, and security policies. This knowledge can help you plan your scans more effectively.

  • Stay up to date with the latest security and firewall evasion techniques. The field of cybersecurity is dynamic, and new evasion methods and tools are continually emerging.
----------------------------------------------------------------------------------------------------------------------------
Question 1: Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn switch?
Answer: ICMP 

Question 2: Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
Answer: --data-length
----------------------------------------------------------------------------------------------------------------------------

Practical Lab

Question 1: Does the target (MACHINE_IP)respond to ICMP (ping) requests (Y/N)?
Answer: N

Question 2: Perform an Xmas scan on the first 999 ports of the target -- how many ports are shown to be open or filtered?
Answer: 999

Question 3: There is a reason given for this -- what is it?
Answer: No Response

Question 4: Perform a TCP SYN scan on the first 5000 ports of the target -- how many ports are shown to be open?
Answer: 5

Question 5: Open Wireshark and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what's going on. Deploy the ftp-anon script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)

Answer: Y
----------------------------------------------------------------------------------------------------------------------------
Thank you for reading 

Roger - Ozz961.

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Junior Security Analyst Intro

-
Why SOC Analyst L1 is Considered a Triage Specialist. A Level 1 Security Operations Center (SOC) Analyst is often regarded as a triage specialist because they are the first responders to cybersecurity alerts. Much like how a triage nurse assesses patients' conditions in a hospital, a Level 1 SOC Analyst evaluates and categorizes alerts generated by security tools to determine their severity and prioritize response efforts. Their primary focus is to: Filter Noise: Modern networks generate massive amounts of data, with many false positives. SOC L1 analysts must sift through this data to identify real threats. Categorize Alerts: Assign severity levels to incidents, such as low, medium, or high priority. Initial Response: Perform basic investigations (e.g., checking IP addresses, scanning logs) and decide whether to escalate incidents to Level 2 or 3 analysts. This role is vital because it ensures that high-priority threats are addressed quickly and resources are allocated ...
Read more

Example of A Day in the Life of a Junior (Associate) Security Analyst

-
The day begins early for the Junior Security Analyst, stepping into the office or logging into their remote workstation. The quiet hum of servers and the glow of multiple screens set the stage for another day at the heart of the cybersecurity battlefield. Their first task is to review the handover notes from the previous shift or the daily briefing. This update includes summaries of unresolved incidents, ongoing investigations, and any notable changes in the organization’s threat landscape. Equipped with this crucial information, the analyst prepares to navigate a world where even the smallest anomaly could signify a major threat. Logging into the array of tools—a Security Information and Event Management (SIEM) platform, endpoint detection systems, firewalls, and intrusion detection/prevention systems (IDS/IPS)—the analyst is immediately immersed in the flow of alerts. Every beep, flash, and log entry represents a potential threat. The first challenge is triage. Like a digital detecti...
Read more