[Lesson 12] Network Vulnerability and Scanning: Timing and IDS/IPS Evasion in Nmap (Theory)
Now let’s have a look on how we can cope with network security such as firewalls or packet filtering 🌋 As you know, you will always face some security measures in your penetration testing. The security measures implemented will definitely make your work not so easy 😉 It will drop your packets or reply some fake responses. Thus, you have to find those measures and bypass them to move on 💻
Bypassing IPS/IDS Devices:
‼️ Note: IPS — Intrusion Prevention System/ IDS — Intrusion Detection System ‼️
🔥 Network obstruction such as firewalls can make a network exceedingly difficult. It will not get any easier as stifling casual reconnaissance is often a key goal of implementing the devices.
🔥 Nevertheless, Nmap offers many features to help you understand these complex networks and verify that the filters are working as intended.
🔥It even supports mechanisms for bypassing poorly implemented defenses.
🔥One of the best methods/techniques of understanding your network security posture is to try to defeat it. The network security is the overall defense against the cyber attacks.
🔥In addition, in order to restrict the network activity, companies and organization are increasingly monitoring traffic with intrusion detection systems/IDS.
🔥 All the major IDS are associated with rules designed to detect Nmap scans as scans are sometimes a precursor to attacks.
🔥Many of these products have recently morphed into Intrusion Prevention System/IPS that actively block traffic that are deemed as malicious.
🔥Unfortunately for network administrators and IDS vendors, reliably detecting bad intentions by analyzing packet data is a tough problem.
🔥 Attackers that are patience, skill and the help of certain Nmap options can usually bypass IDS undetected.
🔥Meanwhile, administrators must cope with a large numbers of false and positive results where innocent activities misdiagnosed and alerted or blocked.
🔥 Therefore, there are no magic bullet/one solution for detecting and bypassing firewalls and IDS systems. It takes skill and experience to do so.
Here, I am going to show you a few methods to bypass or detect the IDS and IPS devices:
Bypassing IPS/IDS Devices:
Timing
⭐️ Although timing techniques are used to improve scan times, they are also very good at being invisible against a network security devices such as firewalls, IDS and IPS.
Fragmentation
⭐️ The -f option causes the requested scan to use tiny fragmented IP packets. The idea here is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems and other similar security measures to detect what you are doing.
⭐️Specify this option once and Nmap splits the packets into 8 bytes or less after the IP header. Thus, a 20 byte TCP header would split into three packets. Be-careful with some programs have trouble handling these tiny packets.
⭐️Fragmentation is only supported for Nmap raw packet features which include the TCP and UDP port scans.
⭐️In addition, the OS detection features such as version detection and nmap scripting generally don’t support fragmentation as they rely on your hosts TCP stack to communicate with target services.
Source Port
⭐️Using well known ports as a source port of the packets that will send is another technique to bypass firewall.
⭐️To trust traffic based on the source port number is one surprisingly common misconfiguration.
⭐️It is easy understand how this related, an administrators will set up a shiny few firewall only to be flooded with complaints from ungrateful users whose application stop working.
⭐️In particular DNS may broken because the UDP DNS replies from external servers can no longer enter the network.
⭐️Here, Nmap offers the source port option to exploit this weakness. Simply provide a port number and Nmap will send packets from that port where possible.
Randomized Scanning Order
⭐️Randomize hosts tells Nmap to shuffle each group of hosts before it scans them.
⭐️This definitely will make the scans look less obvious to various network monitoring systems. Especially when you combine it with slow timing option.
- IP Spoofing
⭐️The -S options can be used to spoof the scan to make the targets thinks that someone else is scanning them.
⭐️Note that you won’t usually receive reply packets back to you and the packets will addressed to the IP that you are spoofing. Thus, Nmap won’t produce useful reports.
Firewall and IPS/IDS detection
⭐️You can also use some techniques to understand the existence of the security measures.
⭐️First techniques/methods is to analyze the TTL which is the time to live values of the incoming packets.
⭐️The TTL values of packets coming from the destination systems may differ from the TTL values of the packets coming from a network security devices.
⭐️Thus, find the incoming packets that have two different results and analyze their TTL values.
⭐️Bad-sum option asks Nmap to use an invalid TCP or UDP checksum for packets sent to target hosts. Since that virtually all host IP stacks will properly drop these packets. Any responses received are most likely coming from a fire wall or IDS that didn’t bother to verify the checksum.
