Nmap evade firewall and scripting by Blackhat Pakistan 2023
Today we will learn about Nmap evade firewall and scripting in this article.
Nmap is the most powerful scanner that is used to perform many functions including port scanning, service detection and even vulnerability detection. From beginner to advanced, Nmap has covered many basic concepts and commands, and in this second part of this article series, I’ll cover some advanced Nmap techniques.
How to avoid firewall/IDS in Nmap evade firewall and scripting
Firewalls and IDS (Intrusion Detection Systems) usually play an important role in a very good defense of a remote target from a security point of view, because these hardware and software are able to block intrusions, but in the case of penetration testing, you have to bypass them. tools to get the right result, otherwise you will be misled. Nmap can scan the firewall and other intrusion detection systems on the remote target computer because it uses different types of techniques to combat these software and the techniques are dependent on the remote software. Two types of firewall can be installed on the target computer:
- Host firewall (firewall running on one target computer, for example you have a firewall running on your computer)
- Network firewall (A firewall has been installed and running to protect the entire network and has been deployed at a network node, it can be a LAN)
There are also two types of IDS/IPS that can be installed on the target computer. This is the situation a penetration tester has to deal with. There are so many different types of Nmap techniques that can be used in this situation, such as:
Related Article:Contemporary UEFI Bootkits by Blackhat Pakistan 2023
TCP ACK scan (-sA)
It is always a good idea to send ACK packets rather than SYN packets, because if there is any active firewall running on the remote computer, then because of ACK packets, the firewall cannot create the protocol, because firewalls take the ACK packet as a response to a SYN packet. TCP ACK checking requires root privileges on the attacker’s side and works very well for stateless firewall and IDS. As a penetration tester, you need to check the response of the firewall; there can be four types of answers:
- Open port (few ports in case of firewall)
- Closed port (most ports are closed due to firewall)
- Filtered (Nmap is not sure if the port is open or not)
- Unfiltered (Nmap has access to the port but is still confused about the port’s open status)
These are some important answers you can get during penetration testing. ACK scanning is slightly different from other types of scanning techniques because it was not designed to detect open ports, but has the ability to determine filtered and unfiltered responses. Let’s compare the two ACK scan results.
So now it is very easy to find out whether the target computer has a firewall on or not, because a simple ACK check means that there is a lower chance of detection on the victim’s side, but a high chance of the attacker discovering the firewall. The SYN scan result for both situations is as follows:
Note: In all three situations, the victim is a Windows computer.
- Firewall enabled
- Firewall enabled + all ports are closed
- Firewall disabled
TCP scan windows (-sW)
Very similar to ACK scanning with a small difference, TCP window scanning was designed to distinguish between open and closed ports instead of showing unfiltered ones. It also requires root permission to run. Let’s look at the different TCP window scan responses.
Nmap timing option
The timing option is a very important and interesting feature of Nmap because sometimes you need to make a delay between each request. There are many reasons for this, but the most important reason is stress on the network; sometimes the victim’s computer and even the network cannot handle the large request. As an Nmap penetration tester, you need to ensure that your scan should not be considered a Denial of Service (DoS) attack, so timely response and request are very important aspects of scanning. Nmap has so many features and parameters that can be very useful for timely scanning of a target. The fragmentation (-f) technique as discussed is also a useful technique for splitting your request into multiple segments. Other important parameters are described below:
This is the best parameter to use to control the delay between each and every request Since you can control the time between each probe, you need to make sure you use integer timing and remember to specify the time unit :
- ms (millisecond), e.g. 5 ms
- s (second) e.g. 5s
- m (minute) e.g. 5m
- h (hour) e.g. 5h
Host timeout option (–host-timeout)
Sometimes a host takes too long to respond, and if you scan the entire network, it is very difficult to wait for a single host. There can be many reasons behind the slow response, such as network connection and firewall, so if you don’t want to waste time, you can set a timeout.
Nmap scripting is one the best features that Nmap has. Nmap scripts are very useful for the penetration tester because they can save so much time and effort. The Nmap scripting engine has more than 400 scripts at the time of this writing, and you can create your own script and everyone can create a script and submit it to the script engine to help the community of penetration tester.
Nmap scripts can perform so many different functions from vulnerability scanning to exploitation and from malware detection to brute forcing. In this section I will discuss some of the best Nmap scripts and their usage:
This is one of the important scripts that can scan to check the vulnerabilities:
- MS08-067 Windows vulnerability that can be exploited
- Conficker malware on the target machine
- Denial of service vulnerability of Windows 2000
- MS06-025 Windows vulnerability
- MS07-029 Windows vulnerability
If you want to list site directories on a web server, then this is the best Nmap script for that purpose. The http-enum script is also used to discover open ports and list software with their version for each port.
[email protected]:~# nmap -sV –script=http-enum 127.0.0.1
Launching Nmap 5.51 ( http://nmap.org ) at 2012-07-28 18:47 PKT
Nmap scan report for localhost (127.0.0.1)
Host is active (latency 0.000036s).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
| /login.php: Possible admin folder
| /login/: Login page
| /login.php: Login page
| /logs/: Logs
A script to perform the required scan against the target computer for the CVE-2012-1182 Samba heap overflow vulnerability.
nmap –script=samba-vuln-cve-2012-1182 -p 139 target
nmap –script=samba-vuln-cve-2012-1182 -p 139 192.168.1.3
So many organizations run their SMTP server on a non-standard port for security reasons. smtp-strangeport is a script that detects whether SMTP is running on a standard port or not.
nmap -sV –script=destination smtp-strangeport
As the name suggests, this script was created to get the PHP version from a web server. The software version is very important for a penetration tester to find the relevant vulnerability, so this script is very useful for web application penetration testing.
nmap -sV –script=http-php-version target
The Nmap scripting engine contains so many scripts that you may even find multiple scripts for a specific software or platform. For example: if you want to perform penetration testing on a site that is based on WordPress, you can use Nmap scripts for this purpose.
This is the best script to find blacklisted IP addresses in my opinion. All you have to do is enter the IP address and the script will check it for DNS antispam and proxy blacklist.
This article is an attempt to cover the most important aspects of Nmap from beginner to advanced so that anyone can learn even without prior knowledge. This is not the end because Nmap has a lot of features, you can do many things with Nmap. I recommend you practice with him every day because practice makes a man perfect.