π‘οΈ Methodology Checklist
- Identify firewall-filtered ports in initial scan
- Fragment packets:
nmap -f [TARGET] - Specify source port:
nmap --source-port 53 [TARGET] - Decoy scan:
nmap -D RND:5 [TARGET] - Spoof source IP:
nmap -S [SPOOFED_IP] -e [IFACE] -Pn [TARGET] - Slow scan timing:
nmap -T0 [TARGET] - Use scan from VPN/proxy if source IP is blocked
- Manual banner grab on filtered ports:
nc -nv --source-port 53 [TARGET] [PORT]
π― Operational Context
Think Dumber First: Change source port to 53 or 88 before any complex evasion β most lab firewalls permit DNS and Kerberos traffic, so source port spoofing bypasses simple ACL rules instantly. Only escalate to fragmentation or decoys if source-port tricks fail. Evasion adds noise and can break scan results.
When you land here: Initial scan shows ports as filtered that should be reachable. Test: nmap --source-port 53 -p [FILTERED_PORT] [TARGET]. If that works, route all scans through source port 53. For IDS evasion, combine -f fragmentation with -D decoys only when absolutely necessary.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -p [PORT] -sA -Pn -n --disable-arp-ping --packet-trace | ACK scan to determine if firewall is stateful or stateless |
sudo nmap [TARGET_IP] -p 80 -sS -Pn -n -D RND:5 | Decoy scan β generate 5 random spoofed IPs to hide real source |
sudo nmap [TARGET_IP] -n -Pn -p [PORT] -O -S [SPOOFED_IP] -e tun0 | Spoof source IP to impersonate a trusted host |
ncat -nv --source-port 53 [TARGET_IP] [PORT] | Connect via source port 53 to mimic DNS traffic and bypass filtering |
π¬ Deep Dive & Workflow
Firewalls
Security systems that monitor and control network traffic based on rules.
- Pass / Drop / Block: Dropped packets generate no response (Nmap marks port
filtered); Rejected packets return a TCP RST or ICMP Error.
IDS vs IPS
- IDS (Intrusion Detection System): Passive β scans for attack signatures and alerts the admin.
- IPS (Intrusion Prevention System): Active β blocks connections when an attack pattern is matched.
Evasion Techniques
1. ACK Scan (-sA)
Sends TCP packets with only the ACK flag. Stateless firewalls allow ACK (treating it as an established connection), so unfiltered ports return RST while filtered ports return nothing.
2. Decoys (-D)
Nmap sends packets from your real IP and multiple spoofed IPs simultaneously. The target sees a flood from different sources, making attribution difficult. Decoy hosts should be alive to avoid SYN-flood alerts.
3. IP Spoofing (-S)
Manually sets the Source IP header to impersonate a trusted address. You will not receive the response (it goes to the spoofed IP) unless you control that segment or infer results indirectly.
4. Source Port Manipulation (--source-port)
Forces packets to originate from a specific port (e.g., 53/DNS, 88/Kerberos). Admins often whitelist these ports for service continuity without checking connection state.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Decoy scan still reveals real source IP | Kernel routing overrides decoy source | This is expected behavior β decoys add noise to logs but donβt mask real source; use for IDS confusion only |
| Fragmented packets donβt reach target | Target or intermediary firewall reassembling/dropping | Try --mtu 24 (24-byte fragments); note some IDS systems detect fragmentation as a scan signature itself |
| Source port 53 bypass not working | Application-layer DPI in use, not just ACL rules | Combine with -sA ACK scan to map stateful vs stateless filter; try source port 443 or 123 |
| MAC address spoofing has no effect | Only works on same L2 Ethernet segment | MAC spoof cannot traverse routers; useless for remote targets; only relevant for local LAN enumeration |
-T0 paranoid timing scan never completes | 5-minute inter-probe delay makes full scan take days | Use -T1 --max-retries 1 instead; -T0 is impractical for more than 10 ports |
π Reporting Trigger
Finding Title: Insufficient Network Perimeter Filtering β Port Scan Traffic Undetected Impact: Attacker can enumerate internal services and map network topology without triggering alerts. Evasion techniques (fragmentation, source port spoofing) bypass ACL-only firewalls. Root Cause: Firewall rules based on source port only (not stateful inspection). No IDS/IPS rate-limiting or port scan detection configured. Recommendation: Implement stateful packet inspection. Deploy IDS/IPS with port scan detection signatures. Implement connection-rate limiting. Alert on fragmented packet floods. Egress filter common reconnaissance tool signatures.