z3tssu
  • README
  • Cybersecurity Certifications & Notes
    • Cybersecurity Knowledge Base
      • IPPSEC's Video Search for Hacking Methods
      • Finding Someone's Location with Seeker
      • Nishang Project
      • Hacktricks
    • πŸ“œCertifications & Courses
      • 🟒Hackthebox - CPTS
        • Getting Started
          • General
          • Tmux
          • Vim
          • Service Scanning
        • Penetration Testing Process
        • Network Enumeration with Nmap
          • Host Discovery
          • Host and Port Scanning
          • Saving the Nmap Scanning Results
          • Service Enumeration
          • Nmap Scripting Engine
            • Update the Scripting Engine
            • Nmap Script Locations
          • Performance Tags
          • Firewall and IDS/IPS Evasion
        • πŸ‘£Footprinting
          • πŸ”ŽHost-Based Service Enumeration
            • FTP [21]
              • Basics
                • vsFTPd Detailed Output
                • Hiding IDs - YES
              • Footprinting FTP
                • Nmap FTP Script Scanning
                • Service Interaction
              • FTP Commands
            • SMB [139/445]
              • Basics
                • Default Configuration
                • Create and Manage Samba Share
                • smbstatus
              • Footprinting SMB
                • SMB Nmap Scan
                • Smbclient
                • RPCclient
                  • Useful Commands
                  • Basic Enumeration
                  • Enumerate Users
                  • Group Information
                  • Bruteforcing User RIDs
                • smbmap
                • CrackMapExec
                • Enum4Linux-ng
            • NFS [111,2049]
              • Basics
                • Default Configuration of NFS
                • Creating an NFS Entry
                • Dangerous Settings
              • Footprinting NFS
                • nmap
                  • Basic Scan
                  • NFS Script Scan
                • Mount an NFS Share
                • Unmount NFS
            • DNS [53]
              • Basics
                • DNS Records
                • Default Configuration
                • Dangerous Settings
              • Footprinting DNS
                • DIG - NS QUERY
                • DIG - Version Query
                • DIG - Any Query
                • DIG - AXFR Zone Transfer
                • DIG - AXFR Zone Transfer - Internal
                • Subdomain Bruteforcing (For Loop with Seclists)
                • Subdomain Bruteforce (DNSenum)
            • SMTP (25,587)
              • Telnet SMTP
                • Telnet - HELO/EHLO
                • Telnet - VRFY
                • Telnet - Send an Email
              • Nmap Telnet
              • FTP User Enumeration
            • IMAP/POP3 [110,995,143,993]
              • Default Configuration
            • SNMP[161]
            • MySQL [3306]
            • MSSQL [1433]
            • Oracle TNS [1521]
            • IPMI [623]
            • SSH [22]
            • Rsync [873]
            • R-Services [512, 513, 514]
            • RDP [3389]
            • WinRM [5985, 5986]
            • WMI [135]
          • Introduction
            • Enumeration Principles
            • Enumeration Methodology
          • Infrastructure Enumeration
            • Domain Information
            • Cloud Resource
            • Staff
        • πŸ•ΈοΈWeb Information Gathering
          • πŸ€·β€β™‚οΈWHOIS
          • 🧬DNS
            • 🧬DIG
          • πŸ“šSubdomain Enumeration
            • DNS Zone Transfer
            • Sub Domain Bruteforcing
            • Virtual Hosts
              • Gobuster vhosts brutefoce
              • Add Vhosts to /etc/hosts
            • Certificate Transparency Logs
          • πŸ–οΈFingerprinting
            • Banner Grabbing
            • Web Application Firewall (Wafw00f)
            • Nikto
          • Crawling
            • robots.txt
            • .Well-Known URIs
            • Popular Web-Crawlers
              • Scrapy (ReconSpider)
              • Apache Nutch (Scalable Crawler)
              • Burp Suite Spider
              • OWASP ZAP (ZED Attack Proxy)
          • πŸ”₯Automating Recon
            • FinalRecon
          • πŸ”Search Engine Discovery
            • πŸ”Google Dorking
            • πŸ”Search Operators
          • Web Archives
          • Questions
            • Question 4
            • Question 5
        • Vulnerability Assessment
          • Vulnerability Scanning Tools
            • Nessus
              • Installing and Starting Nessus
              • Nessus Scan Types
              • Nessus Polices
                • Creating a Nessus Policy
              • Nessus Plugins
                • Creating a Plugin Rule
              • Credentialed Scanning
                • HTB Credentials for Nessus
              • Exporting Nessus Scans
              • Scanning Issues
            • OpenVAS
              • Installing OpenVAS
              • OpenVAS Scan
              • Exporting Scans
            • Nexpose
            • Qualys
          • Security Assessments
          • Vulnerability Assessment
          • Assessment Standards
          • Common Vulnerability Scoring System (CVSS)
          • Common Vulnerabilities and Exposures (CVE)
            • Open Vulnerability Assessment Language (OVAL)
          • Reporting
        • πŸ“‚File Transfers
          • File Transfer Methods
            • Windows File Transfer Methods
              • ⬇️Download Operations
                • πŸͺŸ PowerShell Base64 Encode & Decode
                • 🌐 PowerShell Web Downloads -
                • πŸ“¦ SMB Downloads
                • 🌐 FTP Downloads
              • ↗️Upload Operations
                • πŸ” Encode File Using PowerShell
                • 🌐 PowerShell Web Uploads
                • 🧬 PowerShell Base64 Web Upload
                • 🌐 SMB Uploads with WebDAV Twist
                • πŸ“‘ FTP Uploads
            • Linux File Transfer Methods
              • Download Operations
                • πŸ“¦ Base64 Encoding / Decoding for File Transfers
                • 🌐 Web Downloads with Wget and cURL
                • πŸ’£ Fileless Attacks in Linux – Execute Directly
                • 🐚 Download with Bash using /dev/tcp
                • πŸ” SSH Downloads with scp
                  • More Usage on SCP
              • Upload Operations
                • 🌐 Web Upload with HTTPS πŸš€
                • πŸ› οΈ Quick Web File Transfer Method
                • πŸ”„ SCP Upload
            • Transferring Files with Code
              • Downloading Files
              • Uploading Files
            • Transfer Files with Netcat, Ncat, RDP
            • Powershell Session File Transfer
            • RDP File Transfer
            • Protected File Transfers
            • Sending Files over HTTP/S
            • Upload and Download with Built in OS Tools
          • Detect or Be Detected
            • Detection
            • Evade Detection
        • 🐚Shells & Payloads
          • The Shell Basics
            • Bind Shell
            • Reverse Shell
          • Creating Payloads
            • Introduction to Payloads
            • Metasploit Payloads
            • Crafting Payloads with MSFvenom
          • Infiltrating Windows
            • πŸ› οΈ MS17-010 EternalBlue
          • Infiltrating Unix/Linux
            • 🐍 Spawning a TTY Shell with Python
            • Spawing Interactive Shells
          • Web Shells
            • πŸ§ͺ Laudanum – "One Web Shell to Rule Them All"
            • 🧠 Antak Webshell + ASPX Concepts
            • 🐘 PHP Web Shells
            • Shells & Payloads - The Live Engagement
          • Detection and Prevention
        • πŸ‘ΎMetasploit
          • Introduction
            • 🧰 Introduction to Metasploit Framework (MSF)
            • MSF Engagement Structure
          • MSF Components
            • 🧰 Modules
            • 🎯 Targets
            • 🧠 Payloads
            • πŸ”§ Encoders?
            • πŸ—„οΈ Database
            • πŸ”Œ Plugins
          • MSF Sessions
            • πŸ” Sessions
            • πŸ› οΈ Meterpreter
          • Additional Features
            • πŸ› οΈ Installing & Importing Custom Metasploit Modules
            • 🧠 Porting Scripts into Metasploit Modules
            • πŸ’₯ Introduction to MSFVenom
            • πŸ›‘οΈ Firewall and IDS/IPS Evasion
        • βš”οΈPassword Attacks
          • Where Credentials are Stored?
          • John The Ripper
          • Remote Password Attacks
            • πŸ–₯️ Network Services
              • WinRM [5985, 5986]
              • SSH [22]
              • RDP [3389]
              • SMB [139,445]
              • Questions
            • πŸ” Password Mutations & Wordlist Generation
            • πŸ” Password Reuse & Default Passwords
          • Windows Local Password Attacks
            • Attacking SAM (Security Account Manager)
            • Attacking LSASS
      • TCM Security - PNPT
      • Cisco Ethical Hacker
      • Introduction to Hacking Methodology
    • Pentesting Services
    • Pentesting Web
      • CBBH
      • TCM Security - Practical Web Hacking
    • Pentesting Wi-Fi
      • OSWP
      • Wireless Penetration Test (WPA2)
    • Pentesting Cloud
    • Network Defense
      • Blue Team Level 1
    • 🐍Scripting with Python
    • ☒️Active Directory Penetration Testing
      • Initial Attack Vectors
      • Post Compromise Enumeration
    • Cybersecurity Job Skills
      • Information Security Officer Guide
    • πŸ”IP Address Investigation
      • WHOIS
      • Reverse DNS
      • Geolocation of the IP
      • Check If IP is Active and has Services Running
      • Check the IP Reputation
      • Check Passive DNS History
      • Confirm the Actual Server Location
    • Cybersecurity Projects
      • Wireless Penetration Test (WPA2)
      • AWS Honeypot
      • SOC Analyst Home Lab
      • Threat Management with Wazuh SIEM
    • Cybersecurity Books
    • πŸ”„SOC
  • IT Certifications & Notes
    • Certifications
      • MS-900 Microsoft 365 Fundamentals
        • Describe Microsoft security and compliance capabilities
          • Describe the functions and identity types of Microsoft Entra ID
          • Describe access management capabilities of Microsoft Entra
            • Introduction
            • Describe Conditional Access
            • Describe Global Secure Access in Microsoft Entra
            • Describe Microsoft Entra roles and role-based access control (RBAC)
      • CISSP
      • ITIL
        • ITIL 4 Foundations
      • CCNA
        • David Bombal - Udemy
        • CCNA Training - Jeremy's IT Lab
          • Resources
          • Cisco Packet Tracer Labs
            • Cisco Packet Tracer Overview
            • Packet Tracer Lab 1
      • MCSE Certification Options
      • AZ-900
    • IT Projects & Training
      • Windows Server 2016 - Active Directory Lab Build
      • Windows Server 2022 Fundamentals
        • Introduction to Server Manager
          • Installing and Configuring Server Manager
          • Creating a VM on Microsoft Azure for Server 2022
        • Introduction to Active Directory
          • Active Directory and Setting up
          • Active Directory Overview
          • Delegation Rights for Active Directory
          • Active Directory Administrative Center
          • Common cmd commands for IT Support
        • Group Policy Management
          • How to apply basic GPO
        • Introduction to Share Folders
          • Creating Share Folders on Server Manager
          • Share Folder Permissions for Users
          • Map a Network Drive (locally)
          • Map a Network Drive through Active Directory
        • Understanding Windows/Common AD Issues
          • Installing RSAT Tools
          • Joining a PC to the Domain
        • Real Life IT Support Issues
          • When a User Gets locked out their accounts
          • Change Password of a User
      • Office 365 For IT Support
        • Office 365 Overview
      • Microsoft Azure Training
        • Getting Started in the Azure Portal
        • Introduction to Microsoft Azure Services
        • Basic Usage of Azure Services
        • Azure Deploy Sql Database Overview
        • Azure AD Connect Overview
        • Azure Microsoft File Share/Map Drives
        • Deploy Windows 11 to Azure
        • Microsoft Azure Basic Fundamentals (Azure Active Directory)
        • Introduction to Vnet (Overview)
        • Microsoft Azure Network/Security
        • Microsoft Azure Tagging (Final Course)
      • Networking Projects with Cisco Packet Tracer
        • Build a Basic Network
        • Webserver Project
      • Setup and Router and Switch
    • IT Knowledge Base
  • CTF/Box WRITEUPS
    • Tryhackme
    • HTB
      • Footprinting Lab - Easy
      • Footprinting Lab - Medium
      • Footprinting Lab - Hard
      • Nessus Skills Assessment
      • OpenVAS Skills Assessment
      • Tier 0
      • Tier 1
  • Cryptocurrency/Blockchain
    • Cryptocurrency Investigation
    • Certifications
      • Certified Blockchain Security Professional
Powered by GitBook
On this page
  • Firewalls
  • Scanning Options Summary
  • Determining Firewalls and Their Rules
  • SYN Scan Example
  • ACK Scan Example
  • Decoys
  • OS Detection and Scanning with Different Source IP
  • DNS Proxying and Source Port Manipulation
  • SYN Scan of a Filtered Port
  • SYN Scan from DNS Port
  • Connecting to the Filtered Port Using Netcat
  • Labs and Practice
  1. Cybersecurity Certifications & Notes
  2. Certifications & Courses
  3. Hackthebox - CPTS
  4. Network Enumeration with Nmap

Firewall and IDS/IPS Evasion

  • Objective: Understand various techniques to bypass firewall rules and IDS/IPS using Nmap. Techniques include:

    • Packet fragmentation

    • Use of decoys

    • Changing source IP/port

    • Other methods

Firewalls

  • Definition:

    A security mechanism that monitors and filters incoming network traffic.

  • Functionality:

    • Examines network packets between external sources and the protected network.

    • Decides whether to pass, ignore, or block packets based on defined rules.

    • Rules might cause packets to be:

      • Dropped: No response is sent.

      • Rejected: A response (often with an RST flag or ICMP error) is sent back.

  • Common ICMP Error Codes:

    • Net Unreachable

    • Net Prohibited

    • Host Unreachable

    • Host Prohibited

    • Port Unreachable

    • Proto Unreachable

Scanning Options Summary

  • Common Options Used:

    • 10.129.2.28 – Target IP.

    • -p <ports> – Specify ports to scan.

    • sS – SYN scan.

    • sA – ACK scan.

    • Pn – Disable ICMP Echo requests.

    • n – Disable DNS resolution.

    • --disable-arp-ping – Prevent ARP ping.

    • --packet-trace – Show all sent/received packets.

    • D <decoys> – Use decoy IP addresses.

    • S <source_IP> – Specify source IP.

    • e <interface> – Use a specific network interface.

    • --source-port <port> – Use a specific source port.

Determining Firewalls and Their Rules

  • Filtered vs. Rejected Ports:

    • Filtered: No response (packet is dropped).

    • Rejected: Response returned (often with an RST flag or specific ICMP error).

  • Nmap Scans Overview:

    • SYN Scan (-sS):

      • Sends SYN packets to initiate connections.

      • For an open port, target typically replies with SYN-ACK.

    • ACK Scan (-sA):

      • Sends packets with only the ACK flag.

      • Used to check firewall filtering rules (since many firewalls allow ACK packets through regardless of connection state).

SYN Scan Example

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p 21,22,25 -sS -Pn -n --disable-arp-ping --packet-trace

  • Observation:

    • Port 22: Received a SYN-ACK (open).

    • Ports 21 and 25: Filtered (ICMP error or no response).

  • Scan Report:

    • 21/tcp: filtered (ftp)

    • 22/tcp: open (ssh)

    • 25/tcp: filtered (smtp)

ACK Scan Example

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p 21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace

  • Observation:

    • Port 22: Returns an RST (indicating it is unfiltered).

    • Ports 21 and 25: Filtered (ICMP error or no response).

  • Scan Report:

    • 21/tcp: filtered (ftp)

    • 22/tcp: unfiltered (ssh)

    • 25/tcp: filtered (smtp)

Decoys

  • Purpose:

    • Hide the true origin of the scan by mixing real packets with decoy IP addresses.

  • Usage in Nmap:

    • D RND:5 generates five random decoy IP addresses.

    • Your real IP is randomly inserted among these decoys.

  • Example: Scan Using Decoys

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

  • Observation:

    • The target sees multiple source IPs.

    • This can help bypass filters that block specific subnets.

  • Note:

    • Spoofed packets might be dropped by ISPs/routers if not from the same network range.

    • You can also manually specify VPS IP addresses or manipulate IP IDs if needed.

OS Detection and Scanning with Different Source IP

  • Testing Firewall Rules with OS Detection:

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p445 -O

  • Scan Report:

    • 445/tcp: filtered (microsoft-ds)

    • OS detection may be inconclusive if not enough open/closed ports are found.

  • Scan with a Different Source IP:

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

  • Observation:

    • Using a different source IP (and a specific interface) might result in different firewall/IDS behavior.

    • 445/tcp now appears as open, and OS guesses (though not exact) are provided.

DNS Proxying and Source Port Manipulation

  • DNS Queries:

    • By default, Nmap performs reverse DNS lookups.

    • Can be overridden by using -dns-server <ns>,<ns> to specify DNS servers (useful in DMZ scenarios).

  • Using TCP Port 53:

    • Some firewalls might allow traffic from port 53 (trusted DNS).

    • You can specify the source port with -source-port 53.

SYN Scan of a Filtered Port

  • Example:

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace

  • Observation:

    • 50000/tcp: Filtered (e.g., ibm-db2)

    • Packets may be dropped, as shown by the packet trace.

SYN Scan from DNS Port

  • Example:

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

  • Observation:

    • The scan appears to succeed.

    • 50000/tcp: Open (ibm-db2)

    • Insight: Firewalls accepting TCP traffic from port 53 can allow packets through that would normally be filtered.

Connecting to the Filtered Port Using Netcat

  • Example using Netcat (ncat):

z3tssu@htb[/htb]$ ncat -nv --source-port 53 10.129.2.28 50000

  • Observation:

    • Connection is established.

    • Banner (e.g., 220 ProFTPd) is returned, indicating that the firewall/IDS might be lenient with traffic from port 53.

Labs and Practice

  • Scenario Practice:

    • Multiple lab scenarios are provided to practice evading firewall rules and IDS/IPS.

    • The techniques should be applied as quietly as possible to avoid triggering automatic blocks by the target’s security systems.

These notes cover the key concepts and examples provided, preserving the essential code blocks and details on scanning options and techniques for bypassing firewall/IDS rules.

PreviousPerformance TagsNextFootprinting
πŸ“œ
🟒