# FW / IDS / IPS Evasion #### 1. **-f (Fragment packets); --mtu (Using specified MTU)** Splits packets into smaller fragments to evade packet filters or IDS systems. * **Example 1** (Fragment packets): ```bash nmap -f 192.168.1.1 ``` This sends tiny fragmented IP packets. * **Example 2** (Use specific MTU): ```bash nmap --mtu 1280 192.168.1.1 ``` This sends fragmented packets with a custom MTU value of 1280 bytes. #### 2. **-D \[,]\[,ME]\[,...] (Cloak a scan with decoys)** Cloaks your scan using decoy IP addresses to confuse detection systems. * **Example** (Use decoys): ```bash nmap -D RND,ME,192.168.1.2,192.168.1.3 192.168.1.1 ``` This makes it appear as though the scan is coming from `192.168.1.1`, `192.168.1.2`, `192.168.1.3`, and a randomly generated IP. #### 3. **-S \ (Spoof source address)** Spoofs the source IP address to make the scan appear as if it's coming from a different IP. * **Example**: ```bash nmap -S 10.0.0.100 192.168.1.1 ``` This spoofs the source address to `10.0.0.100`. #### 4. **-e (Use specified interface)** Specifies the network interface to use for scanning. * **Example**: ```bash nmap -e eth0 192.168.1.1 ``` This tells Nmap to use the `eth0` interface for scanning. #### 5. **--source-port ; -g (Spoof source port number)** Spoofs the source port to exploit misconfigurations in firewalls that trust certain ports. * **Example**: ```bash nmap -g 53 192.168.1.1 ``` This sends packets with a source port of 53 (DNS). #### 6. **--data (Append custom binary data to sent packets)** Appends custom binary data to packets. * **Example**: ```bash nmap --data 0xdeadbeef 192.168.1.1 ``` This sends packets with `0xdeadbeef` as the custom payload. #### 7. **--data-string (Append custom string to sent packets)** Appends a custom string as the packet's payload. * **Example**: ```bash nmap --data-string "Scan by admin" 192.168.1.1 ``` This appends the string "Scan by admin" to the sent packets. #### 8. **--data-length (Append random data to sent packets)** Appends random data of the specified length to packets. * **Example**: ```bash nmap --data-length 100 192.168.1.1 ``` This adds 100 random bytes to the packets. #### 9. **--ip-options \ (Send packets with specified IP options)** Sends packets with specified IP options like source routing or timestamping. * **Example** (Loose source routing): ```bash nmap --ip-options L 10.0.0.1,10.0.0.2 192.168.1.1 ``` This sends packets with loose source routing through `10.0.0.1` and `10.0.0.2`. #### 10. **--ttl (Set IP time-to-live field)** Sets the TTL (Time-to-Live) value in the IP header of packets. * **Example**: ```bash nmap --ttl 128 192.168.1.1 ``` This sets the TTL to 128. #### 11. **--randomize-hosts (Randomize target host order)** Randomizes the order in which Nmap scans hosts to evade detection. * **Example**: ```bash nmap --randomize-hosts 192.168.1.0/24 ``` This randomizes the scanning order for the hosts in the `192.168.1.0/24` subnet. #### 12. **--spoof-mac \ (Spoof MAC address)** Spoofs the MAC address used in the scan's Ethernet frames. * **Example**: ```bash nmap --spoof-mac Cisco 192.168.1.1 ``` This uses a spoofed Cisco MAC address for the scan. #### 13. **--proxies (Relay TCP connections through a chain of proxies)** Scans through one or more proxies. * **Example**: ```bash nmap --proxies http://proxy1.example.com:8080,http://proxy2.example.com:8080 192.168.1.1 ``` This relays the scan through the two HTTP proxies. #### 14. **--badsum (Send packets with bogus TCP/UDP checksums)** Sends packets with invalid checksums to test firewalls or IDS systems. * **Example**: ```bash nmap --badsum 192.168.1.1 ``` This sends packets with invalid checksums. #### 15. **--adler32 (Use deprecated Adler32 for SCTP checksums)** Uses the Adler32 checksum for SCTP packets (for legacy systems). * **Example**: ```bash nmap --adler32 192.168.1.1 ``` This forces the use of Adler32 checksums for SCTP packets.