[Lesson 12] Network Vulnerability and Scanning: Timing and IDS/IPS Evasion in Nmap (Theory)

Photo by Waldemar Brandt on Unsplash

Now let’s have a look on how we can cope with network security such as firewalls or packet filtering 🌋 As you know, you will always face some security measures in your penetration testing. The security measures implemented will definitely make your work not so easy 😉 It will drop your packets or reply some fake responses. Thus, you have to find those measures and bypass them to move on 💻

Bypassing IPS/IDS Devices:

‼️ Note: IPS — Intrusion Prevention System/ IDS — Intrusion Detection System ‼️

🔥 Network obstruction such as firewalls can make a network exceedingly difficult. It will not get any easier as stifling casual reconnaissance is often a key goal of implementing the devices.

🔥 Nevertheless, Nmap offers many features to help you understand these complex networks and verify that the filters are working as intended.

🔥It even supports mechanisms for bypassing poorly implemented defenses.

🔥One of the best methods/techniques of understanding your network security posture is to try to defeat it. The network security is the overall defense against the cyber attacks.

🔥In addition, in order to restrict the network activity, companies and organization are increasingly monitoring traffic with intrusion detection systems/IDS.

🔥 All the major IDS are associated with rules designed to detect Nmap scans as scans are sometimes a precursor to attacks.

🔥Many of these products have recently morphed into Intrusion Prevention System/IPS that actively block traffic that are deemed as malicious.

🔥Unfortunately for network administrators and IDS vendors, reliably detecting bad intentions by analyzing packet data is a tough problem.

🔥 Attackers that are patience, skill and the help of certain Nmap options can usually bypass IDS undetected.

🔥Meanwhile, administrators must cope with a large numbers of false and positive results where innocent activities misdiagnosed and alerted or blocked.

🔥 Therefore, there are no magic bullet/one solution for detecting and bypassing firewalls and IDS systems. It takes skill and experience to do so.

Here, I am going to show you a few methods to bypass or detect the IDS and IPS devices:

Bypassing IPS/IDS Devices:


⭐️ Although timing techniques are used to improve scan times, they are also very good at being invisible against a network security devices such as firewalls, IDS and IPS.


⭐️ The -f option causes the requested scan to use tiny fragmented IP packets. The idea here is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems and other similar security measures to detect what you are doing.

⭐️Specify this option once and Nmap splits the packets into 8 bytes or less after the IP header. Thus, a 20 byte TCP header would split into three packets. Be-careful with some programs have trouble handling these tiny packets.

⭐️Fragmentation is only supported for Nmap raw packet features which include the TCP and UDP port scans.

⭐️In addition, the OS detection features such as version detection and nmap scripting generally don’t support fragmentation as they rely on your hosts TCP stack to communicate with target services.

Source Port

⭐️Using well known ports as a source port of the packets that will send is another technique to bypass firewall.

⭐️To trust traffic based on the source port number is one surprisingly common misconfiguration.

⭐️It is easy understand how this related, an administrators will set up a shiny few firewall only to be flooded with complaints from ungrateful users whose application stop working.

⭐️In particular DNS may broken because the UDP DNS replies from external servers can no longer enter the network.

⭐️Here, Nmap offers the source port option to exploit this weakness. Simply provide a port number and Nmap will send packets from that port where possible.

Randomized Scanning Order

⭐️Randomize hosts tells Nmap to shuffle each group of hosts before it scans them.

⭐️This definitely will make the scans look less obvious to various network monitoring systems. Especially when you combine it with slow timing option.

  • IP Spoofing

⭐️The -S options can be used to spoof the scan to make the targets thinks that someone else is scanning them.

⭐️Note that you won’t usually receive reply packets back to you and the packets will addressed to the IP that you are spoofing. Thus, Nmap won’t produce useful reports.

Firewall and IPS/IDS detection

⭐️You can also use some techniques to understand the existence of the security measures.

⭐️First techniques/methods is to analyze the TTL which is the time to live values of the incoming packets.

⭐️The TTL values of packets coming from the destination systems may differ from the TTL values of the packets coming from a network security devices.

⭐️Thus, find the incoming packets that have two different results and analyze their TTL values.

⭐️Bad-sum option asks Nmap to use an invalid TCP or UDP checksum for packets sent to target hosts. Since that virtually all host IP stacks will properly drop these packets. Any responses received are most likely coming from a fire wall or IDS that didn’t bother to verify the checksum.

Related Information:

In this lesson, I am trying my best to explain to you all in theory point of view about the Timing and IDS/IPS Evasion in Nmap 💭

Thanks for reading 😃




A Bachelor CS student with major in Network Security (UniSZa). Every stories I shared is based on my personal opinion. Thanks you. Having my Internship now.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ocean Protocol’s ($OCEAN) RSS feed integrated with Crypto.com’s price page

Social Responsibility in the Age of Data Mining

#SpringSecurity: What is the difference between access and refresh token?

The SEFI Infinity Pool: An In Depth Look

Cybersecurity Prevention for Small Budgets: Holistic Strategies

Tracking Malware and Threat Actor Activity with Process Monitoring

[Part 3]Kali Linux Basics: Learn about Users and Privileges with simple command line

How to unify your vulnerability data and improve your security posture with Monad and Snowflake

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Koay Yong Cett

Koay Yong Cett

A Bachelor CS student with major in Network Security (UniSZa). Every stories I shared is based on my personal opinion. Thanks you. Having my Internship now.

More from Medium

Custom matplotlib Colormap Inspired by Pride Flag

Analysis: Which Colonial Power Left Behind the Best Legacy?

World Intellectual Property Indicators

Observe and Quantify