NMAP (Part 5): Firewall Evasion Options
This article is part of a series. Check out the full series: Part 1: Port Scanning Responses, Part 2: Basic Port Scanning Types, Part 3: Other Port Scanning Types, Part 4: Network Scanning, Part 5: Firewall Evasion Options and Part 6: NSE Scripts!
Fragment packets (-f)
It can be used to split packets into smaller pieces so that the packets are less likely to be detected by firewall or IDS.
Specify MTU size (--mtu <number>)
MTU is the maximum transmission unit of the packet. If this is used, NMAP will create packets with the specified size.
Do keep in mind that MTU number must be a multiply of 8.
nmap --mtu 24 192.168.1.1
Append random data (--data-length <number>)
This is useful to evade firewalls as many firewalls are inspecting packets by looking at their size since many scanners are sending packets that have specific size.
nmap --data-length 25 192.168.1.64
Scan with random order
nmap --randomize-hosts 192.168.1.64–75
Specify source port number
You might be surprised that some of the most common errors made by admin when configuring rules is setting up rule to allow incoming traffic that comes from a specific port number.
This option can then be used to exploit this misconfiguration. Common ports that you can use for this scan are: 20, 53 and 67.
nmap --source-port 53 google.com
References: