Evasion & Spoofing

Network obstructions such as firewalls can make mapping a network exceedingly difficult. It will not get any easier, as stifling casual reconnaissance is often a key goal of implementing the devices. Nevertheless, Nmap offers many features to help understand these complex networks, and to verify that filters are working as intended. It even supports mechanisms for bypassing poorly implemented defenses.

Fragment Packets

The- fragment option causes the requested scan (including ping scans) to use tiny fragmented IP packets.

Nmapr.scan :cmd do
  fragment
end

Decoys

Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.

Nmapr.scan :cmd do
  decoys ['192.168.0.3', '192.168.0.4']
end

Spoof Source Address

Imagine a company being repeatedly port scanned by a competitor!

Nmapr.scan :cmd do
  spoof :ip, "192.168.0.10"
end

Specify Interface

Tells Nmap what interface to send and receive packets on.

Nmapr.scan :cmd do
  interface "en0"
end

Specify Source Port

One surprisingly common misconfiguration is to trust traffic based only on the source port number.

Nmapr.scan :cmd do
  source_port 31337
  # or 
  source_port 443
  # or 
  source_port 80
end

Append Custom Binary Data

This option lets you include binary data as payload in sent packets.

Custom Hex

Append custom binary data to sent packets.

Nmapr.scan :cmd do
  data :hex, "\xAA\xBB\xCC\xDD\xEE\xFF"
  # or
  data :hex, "AABBCCDDEEFF"
  # or 
  data :hex, "0xAABBCCDDEEFF"
end

Custom String

Append custom string to sent packets.

Nmapr.scan :cmd do
  data :string, "Ruby is cool"
end

Random Data

Append random data to sent packets.

Nmapr.scan :cmd do
  data :length, 31337
end

Randomize Hosts

Tells Nmap to shuffle each group of up to 16384 hosts before it scans them. This can make the scans less obvious to various network monitoring systems, especially when you combine it with slow timing options.

Nmapr.scan :cmd do
  randomize
end

Time-to-Live

Sets the IPv4 time-to-live field in sent packets to the given value.

Nmapr.scan :cmd do
  ttl 31337
end

Bogus TCP/UDP Checksums

Since virtually all host IP stacks properly drop these packets, any responses received are likely coming from a firewall or IDS that didn't bother to verify the checksum.

Nmapr.scan :cmd do
  badsum
end

Adler32

Use the deprecated Adler32 algorithm for calculating the SCTP checksum.

Nmapr.scan :cmd do
  adler32
end

Proxies

Establish TCP connections with a final target through supplied chain of one or more HTTP or SOCKS4 proxies. Proxies can help hide the true source of a scan or evade certain firewall restrictions, but they can hamper scan performance by increasing latency.

Nmapr.scan :cmd do
   proxies ["192.168.0.4", "192.168.0.5"]
end

Evasion & Spoofing

Evasion & Spoofing

Fragment Packets

Decoys

Spoof Source Address

Specify Interface

Specify Source Port

Append Custom Binary Data

Custom Hex

Custom String

Random Data

Randomize Hosts

Time-to-Live

Bogus TCP/UDP Checksums

Adler32

Proxies

results matching ""

No results matching ""