Firewall evasion

Nmap

-f indicates to Nmap to fragment the IP packet, in order to bypass firewall filters that may block large packets. When this switch is enabled, Nmap sends IP packets smaller than the maximum allowable packet size, which makes it harder for firewall filters to detect scanning activities.
-sI lets you perform a Zombie scan by choosing any of the live IPs that you have obtained from the host discovery phase. This lets you spoof the source IP address to pretend being another host on the network. In this example, we are pretending to be the 10.10.1.22 when scanning the 10.10.1.11.
-g permits you to specify the source port -g 53 from which you would like to initiate the scan. This is useful when the firewall rule is configured in a way that only traffic generated from a specific port is allowed.
-sTUse this switch to evade firewall and discover hidden networks (full tcp scan with -ST).
sudo nmap --script=firewalk --traceroute 172.19.19.7Bypass firewall with this nmap script

# Use this switch to evade firewall and discover hidden networks (full TCP scan with -sT)
nmap -sT 192.168.0.0/24 

# Bypass firewall with this nmap script
sudo nmap --script=firewalk --traceroute 172.19.19.7 

# Bypass firewall: scan until port and increment by (++1)
sudo hping3 -S 172.19.19.7 -c 100 -p ++1 

# Send an ACK flag to see if the server is up and if it will open up. After that, you can use the -sS flag
nmap -sA -Pn 

# Check the ARP table to retrieve some live hosts
arp -a 

# Scan from a specific port and treat the host as alive
nmap -p 445 -g 445 172.25.170.170 --script=*vuln* -Pn 

# Perform a scan for a specific port using the -g switch
nmap -sS -v -v -Pn 172.25.100.105 -g 445 

# Use these nmap switches if you think you've missed a host
# -P, -Pn, -PE, -PS, -PA, -PP, -PM, -PU, -PY, -PO
nmap -P -Pn -PE -PS -PA -PP -PM -PU -PY -PO 

# Window scan is an implementation detail used to differentiate open ports from closed ones
# It does this by examining the TCP Window value of the RST packets returned.
nmap -sW 

# Set CPORT for netcat scanning
nc IP PORT -p PORT 

# Different switches using various tools to scan from a specific port using netcat (-p-), nmap, or metasploit
nmap -g

PreviousSMTP - 25 NextPivoting and double pivoting

Last updated 5 months ago

Nmap

-f indicates to Nmap to fragment the IP packet, in order to bypass firewall filters that may block large packets. When this switch is enabled, Nmap sends IP packets smaller than the maximum allowable packet size, which makes it harder for firewall filters to detect scanning activities.

-sI lets you perform a Zombie scan by choosing any of the live IPs that you have obtained from the host discovery phase. This lets you spoof the source IP address to pretend being another host on the network. In this example, we are pretending to be the 10.10.1.22 when scanning the 10.10.1.11.

-g permits you to specify the source port -g 53 from which you would like to initiate the scan. This is useful when the firewall rule is configured in a way that only traffic generated from a specific port is allowed.

-sTUse this switch to evade firewall and discover hidden networks (full tcp scan with -ST).

sudo nmap --script=firewalk --traceroute 172.19.19.7Bypass firewall with this nmap script

# Use this switch to evade firewall and discover hidden networks (full TCP scan with -sT)
nmap -sT 192.168.0.0/24 

# Bypass firewall with this nmap script
sudo nmap --script=firewalk --traceroute 172.19.19.7 

# Bypass firewall: scan until port and increment by (++1)
sudo hping3 -S 172.19.19.7 -c 100 -p ++1 

# Send an ACK flag to see if the server is up and if it will open up. After that, you can use the -sS flag
nmap -sA -Pn 

# Check the ARP table to retrieve some live hosts
arp -a 

# Scan from a specific port and treat the host as alive
nmap -p 445 -g 445 172.25.170.170 --script=*vuln* -Pn 

# Perform a scan for a specific port using the -g switch
nmap -sS -v -v -Pn 172.25.100.105 -g 445 

# Use these nmap switches if you think you've missed a host
# -P, -Pn, -PE, -PS, -PA, -PP, -PM, -PU, -PY, -PO
nmap -P -Pn -PE -PS -PA -PP -PM -PU -PY -PO 

# Window scan is an implementation detail used to differentiate open ports from closed ones
# It does this by examining the TCP Window value of the RST packets returned.
nmap -sW 

# Set CPORT for netcat scanning
nc IP PORT -p PORT 

# Different switches using various tools to scan from a specific port using netcat (-p-), nmap, or metasploit
nmap -g