Nmap -sS -Pn -D RND,RND,ME -F 10.10.78.73Įvery time we run this command, Nmap will choose a random IP address to be the decoy. Wireshark capture is shown in the picture below.Īlso, you don’t need to specify decoy addresses, you can also use random source IP addresses (RND), by running, for example: Our target host (10.10.78.73) will see the scans coming from two IP addresses (10.10.10.1 and 10.10.10.2), even though one source IP (ME) is actually running the scan. We use the option -D, by adding our decoy source IP. This can make it hard for the firewall and the target host to figure out the source of the port scan. When we do so, they mix your IP address with other decoy IP’s. And, finally, no errors are introduced in the checksum. The source port was randomly chosen – from the image above we can see that it’s port 61406. Our IP address (10.10.2.15) has sent out ~200 packets. We ran a Wireshark session on the same system as Nmap. To speed up our scan, we have specified the -F option, which will tell Nmap to go for the 100 most common ports. We’re telling Nmap to do a stealth (SYN) scan – the -sS option while -Pn forces Nmap to continue our scan in case of no ping replies. We have identified our host, and we kick off our scan with the following command: However, at the end of the article, we will give a brief 1-sentence overview of the other two mentioned tactics, and what they’re trying to achieve. However, other possible tactics could include evasion via fragmentation (MTU, and data length), or evasion by modifying the header fields.įor this article, we will only look into the source spoofing tactics. There are different approaches, but we will focus on evasion via control of the source IP or MAC address or the source port. Evasion Tactics: Evasion via source spoofingįirewalls are there to detect and block our scan, so we need to employ many different tactics, in order to circumvent them. ![]() There’s ways beyond firewalls in Nmap of course, and we’ve talked about some features, but for our purposes here, let’s just focus on firewalls for a bit. Thus, for the third part of our series we will explore a few scenarios showing how we can leverage Nmap’s options to assess and evade the firewalls we encounter. With more layers covered, we gain more control, but also spend more computing power. Next-generation Firewalls (NGFW) can also cover layers 5, 6, and 7. They usually focus on layers 3 and 4 of the OSI Model (occasionally layer 2). Today, firewalls are an essential part of almost every IT infrastructure and are being deployed in a myriad of shapes and forms.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |