Evasion via controlling IP/MAC/Port
Notes from TryHackMe Firewalls room by @strategos
A firewall can be a barrier to port scan and block the traffic. This section of the room shows us how the tool Nmap can be use to port scan and evade firewalls. The objective is to blur the firewall on where the scan comes from.
Decoys
The Decoys technique implies to mix our IP address with others decoy IP addresses. The firewall is thus confused about where the scan comes from.
The command below perform a SYN stealth (-sS
) on the top 100 ports (-F
). It does not perform any host discovery (no ping request) (-Pn
). The decoy option can be specified with the -D
flag. In the command below, we are asking nmap to use two random (RDN
) IP address in addition to our own IP address. In fact, only our real IP address will perform the scan (ME
), the others IP address are only to decoy the target.
We can also explicitly specified decoy IP address instead of using the RDN option. In the command below, it will add the 10.10.10.1 and 10.10.10.2 IP addresses, in addition to our own.
Not specifying the ME
in the -D
options will set up our real IP address at a random position
Proxy
We can hide our real IP address behind a proxy. The target will se the proxy IP address (10.10.10.1) instead of our real IP address. More proxies can be chain using a separated commas list.
Spoofing MAC address
This technique works only if we are in the same subnet as the target as we need to be able to capture the response. We can use nmap with the flag -S
to spoof our IP address. It is recommended to use an IP address of a target we control or from a trusted source.
Fixed Source Port Number
If we notice that the target to scan allows incoming traffic from a specific port, we can send our packets from this specific ports using the -g <port_number>
flag in nmap. Inspecting the traffic we would see that all our packets come from the specified port.
Last updated