FW / IDS / IPS Evasion

1. -f (Fragment packets); --mtu (Using specified MTU)

Splits packets into smaller fragments to evade packet filters or IDS systems.

• Example 1 (Fragment packets):

  nmap -f 192.168.1.1

  This sends tiny fragmented IP packets.

• Example 2 (Use specific MTU):

  nmap --mtu 1280 192.168.1.1

  This sends fragmented packets with a custom MTU value of 1280 bytes.

2. -D [,][,ME][,...] (Cloak a scan with decoys)

Cloaks your scan using decoy IP addresses to confuse detection systems.

• Example (Use decoys):

  nmap -D RND,ME,192.168.1.2,192.168.1.3 192.168.1.1

  This makes it appear as though the scan is coming from 192.168.1.1, 192.168.1.2, 192.168.1.3, and a randomly generated IP.

3. -S <IP_Address> (Spoof source address)

Spoofs the source IP address to make the scan appear as if it's coming from a different IP.

• Example:

  nmap -S 10.0.0.100 192.168.1.1

  This spoofs the source address to 10.0.0.100.

4. -e (Use specified interface)

Specifies the network interface to use for scanning.

• Example:

  nmap -e eth0 192.168.1.1

  This tells Nmap to use the eth0 interface for scanning.

5. --source-port ; -g (Spoof source port number)

Spoofs the source port to exploit misconfigurations in firewalls that trust certain ports.

• Example:

  nmap -g 53 192.168.1.1

  This sends packets with a source port of 53 (DNS).

6. --data (Append custom binary data to sent packets)

Appends custom binary data to packets.

• Example:

  nmap --data 0xdeadbeef 192.168.1.1

  This sends packets with 0xdeadbeef as the custom payload.

7. --data-string (Append custom string to sent packets)

Appends a custom string as the packet's payload.

• Example:

  nmap --data-string "Scan by admin" 192.168.1.1

  This appends the string "Scan by admin" to the sent packets.

8. --data-length (Append random data to sent packets)

Appends random data of the specified length to packets.

• Example:

  nmap --data-length 100 192.168.1.1

  This adds 100 random bytes to the packets.

9. --ip-options <R|S [route]|L [route]|T|U ... > (Send packets with specified IP options)

Sends packets with specified IP options like source routing or timestamping.

• Example (Loose source routing):

  nmap --ip-options L 10.0.0.1,10.0.0.2 192.168.1.1

  This sends packets with loose source routing through 10.0.0.1 and 10.0.0.2.

10. --ttl (Set IP time-to-live field)

Sets the TTL (Time-to-Live) value in the IP header of packets.

• Example:

  nmap --ttl 128 192.168.1.1

  This sets the TTL to 128.

11. --randomize-hosts (Randomize target host order)

Randomizes the order in which Nmap scans hosts to evade detection.

• Example:

  nmap --randomize-hosts 192.168.1.0/24

  This randomizes the scanning order for the hosts in the 192.168.1.0/24 subnet.

12. --spoof-mac <MAC address, prefix, or vendor name> (Spoof MAC address)

Spoofs the MAC address used in the scan's Ethernet frames.

• Example:

  nmap --spoof-mac Cisco 192.168.1.1

  This uses a spoofed Cisco MAC address for the scan.

13. --proxies (Relay TCP connections through a chain of proxies)

Scans through one or more proxies.

• Example:

  nmap --proxies http://proxy1.example.com:8080,http://proxy2.example.com:8080 192.168.1.1

  This relays the scan through the two HTTP proxies.

14. --badsum (Send packets with bogus TCP/UDP checksums)

Sends packets with invalid checksums to test firewalls or IDS systems.

• Example:

  nmap --badsum 192.168.1.1

  This sends packets with invalid checksums.

15. --adler32 (Use deprecated Adler32 for SCTP checksums)

Uses the Adler32 checksum for SCTP packets (for legacy systems).

• Example:

  nmap --adler32 192.168.1.1

  This forces the use of Adler32 checksums for SCTP packets.