Sunday, February 12, 2012

Firewall scanning technique

In the previous years, we have always know that we can perform a stealth scan over a network via -sS. But base on today technology, this won't work anymore as now we have firewall vendor or antivirus vendor that came out with a solution to protect them self from those scanning techniques. However the scanning techniques is base on human, and we can always play around with the configuration and trick the firewall or IPS. In this articles I will be showing you
the way of doing this. If you would like to test this, most probably you can install a symantec endpoint protection and test the result.

By using a default scanning such as -sS or -A, this will trigger the IPS to block the scanner from getting the information from the hosts. What we need to do is to tweak the packet and the way of the scanning. Below are of the famous way of doing it.

nmap -v -Pn -sS -f --mtu 32 --data-length 50 --source-port 99 --randomize-hosts -T 1

  • -sS is a half-open or Syn scan. These scans do not complete all three steps of the TCP hand shake and there for has a chance of not being logged or picked up by an IPS. The default tcp syn scan attempt to identify the 1000 most commonly use tcp port.
  • -f frament packet.This fragments your packet. The idea here is to split up the TCP headers over many packets in order to make it harder for a firewall or IPS to understand the pattern.
  • --mtu is specific MTU size. It is almost same as –f option. In this example we are using mtu size of 32 and the size must be in the following(e.g.8,16,24,32…)
  • --data-length spec length of the packet. This is important to avoid some of the firewall vendor to known the predictable size. In this example we have added 50 bytes to all packet.
  • --source-port specify source port to bypass poor firewall config
  • --randomize-hosts = a typical IDS or IPS signature might pick up if you scan multiple target hosts in order. Randomizing the order in which you scan helps avoid this. In this option you might want to consider when you have a list of ip to scan.
  • -T 2 This is the timing setting When done with a full port range (-p1-65535) on four IP’s it takes 1000 seconds to complete. The -T2 option is the time setting, T1 is the slowest.
Test this out and share your comment with us.

Stay tune with my articles. Let us know what you though , learns and hope for next articles!. Connect with us on GOOGLE+ , TWITTER and FACEBOOK.

No comments:

Post a Comment