# FW / IDS / IPS Evasion

#### 1. **-f (Fragment packets); --mtu (Using specified MTU)**

Splits packets into smaller fragments to evade packet filters or IDS systems.

* **Example 1** (Fragment packets):

  ```bash
  nmap -f 192.168.1.1
  ```

  This sends tiny fragmented IP packets.
* **Example 2** (Use specific MTU):

  ```bash
  nmap --mtu 1280 192.168.1.1
  ```

  This sends fragmented packets with a custom MTU value of 1280 bytes.

#### 2. **-D \[,]\[,ME]\[,...] (Cloak a scan with decoys)**

Cloaks your scan using decoy IP addresses to confuse detection systems.

* **Example** (Use decoys):

  ```bash
  nmap -D RND,ME,192.168.1.2,192.168.1.3 192.168.1.1
  ```

  This makes it appear as though the scan is coming from `192.168.1.1`, `192.168.1.2`, `192.168.1.3`, and a randomly generated IP.

#### 3. **-S \<IP\_Address> (Spoof source address)**

Spoofs the source IP address to make the scan appear as if it's coming from a different IP.

* **Example**:

  ```bash
  nmap -S 10.0.0.100 192.168.1.1
  ```

  This spoofs the source address to `10.0.0.100`.

#### 4. **-e (Use specified interface)**

Specifies the network interface to use for scanning.

* **Example**:

  ```bash
  nmap -e eth0 192.168.1.1
  ```

  This tells Nmap to use the `eth0` interface for scanning.

#### 5. **--source-port ; -g (Spoof source port number)**

Spoofs the source port to exploit misconfigurations in firewalls that trust certain ports.

* **Example**:

  ```bash
  nmap -g 53 192.168.1.1
  ```

  This sends packets with a source port of 53 (DNS).

#### 6. **--data (Append custom binary data to sent packets)**

Appends custom binary data to packets.

* **Example**:

  ```bash
  nmap --data 0xdeadbeef 192.168.1.1
  ```

  This sends packets with `0xdeadbeef` as the custom payload.

#### 7. **--data-string (Append custom string to sent packets)**

Appends a custom string as the packet's payload.

* **Example**:

  ```bash
  nmap --data-string "Scan by admin" 192.168.1.1
  ```

  This appends the string "Scan by admin" to the sent packets.

#### 8. **--data-length (Append random data to sent packets)**

Appends random data of the specified length to packets.

* **Example**:

  ```bash
  nmap --data-length 100 192.168.1.1
  ```

  This adds 100 random bytes to the packets.

#### 9. **--ip-options \<R|S \[route]|L \[route]|T|U ... > (Send packets with specified IP options)**

Sends packets with specified IP options like source routing or timestamping.

* **Example** (Loose source routing):

  ```bash
  nmap --ip-options L 10.0.0.1,10.0.0.2 192.168.1.1
  ```

  This sends packets with loose source routing through `10.0.0.1` and `10.0.0.2`.

#### 10. **--ttl (Set IP time-to-live field)**

Sets the TTL (Time-to-Live) value in the IP header of packets.

* **Example**:

  ```bash
  nmap --ttl 128 192.168.1.1
  ```

  This sets the TTL to 128.

#### 11. **--randomize-hosts (Randomize target host order)**

Randomizes the order in which Nmap scans hosts to evade detection.

* **Example**:

  ```bash
  nmap --randomize-hosts 192.168.1.0/24
  ```

  This randomizes the scanning order for the hosts in the `192.168.1.0/24` subnet.

#### 12. **--spoof-mac \<MAC address, prefix, or vendor name> (Spoof MAC address)**

Spoofs the MAC address used in the scan's Ethernet frames.

* **Example**:

  ```bash
  nmap --spoof-mac Cisco 192.168.1.1
  ```

  This uses a spoofed Cisco MAC address for the scan.

#### 13. **--proxies (Relay TCP connections through a chain of proxies)**

Scans through one or more proxies.

* **Example**:

  ```bash
  nmap --proxies http://proxy1.example.com:8080,http://proxy2.example.com:8080 192.168.1.1
  ```

  This relays the scan through the two HTTP proxies.

#### 14. **--badsum (Send packets with bogus TCP/UDP checksums)**

Sends packets with invalid checksums to test firewalls or IDS systems.

* **Example**:

  ```bash
  nmap --badsum 192.168.1.1
  ```

  This sends packets with invalid checksums.

#### 15. **--adler32 (Use deprecated Adler32 for SCTP checksums)**

Uses the Adler32 checksum for SCTP packets (for legacy systems).

* **Example**:

  ```bash
  nmap --adler32 192.168.1.1
  ```

  This forces the use of Adler32 checksums for SCTP packets.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ghoulsec.gitbook.io/Toolbase/network-scanning-enumaration-and-vulnerability-detection-tools/nmap/fw-ids-ips-evasion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.