Firewall/IDS Evasion and Spoofing:
Option -f (fragment packets); –mtu (using the specified MTU):
The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny packets. The old-school sniffer named Sniffit segmentation faulted immediately upon receiving the first fragment. Specify this option once, and Nmap splits the packets into 8 bytes or less after the IP header. So a 20-byte TCP header would be split into 3 packets. Two with eight bytes of the TCP header, and one with the final four. Of course each fragment also has an IP header. Specify -f again to use 16 bytes per fragment (reducing the number of fragments). Or you can specify your own offset size with the –mtu option. Don’t also specify -f if you use –mtu. The offset must be a multiple of 8. While fragmented packets won’t get by packet filters and firewalls that queue all IP fragments, such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, some networks can’t afford the performance hit this causes and thus leave it disabled. Others can’t enable this because fragments may take different routes into their networks. Some source systems defragment outgoing packets in the kernel. Linux with the iptables connection tracking module is one such example. Do a scan while a sniffer such as Ethereal is running to ensure that sent packets are fragmented. If your host OS is causing problems, try the –send-eth option to bypass the IP layer and send raw ethernet frames.
Option -D <decoy1 [,decoy2][,ME],…> (Cloak a scan with decoys):
Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address.
Separate each decoy host with commas, and you can optionally use ME as one of the decoys to represent the position for your real IP address. If you put ME in the 6th position or later, some common port scan detectors (such as Solar Designer’s excellent scanlogd) are unlikely to show your IP address at all. If you don’t use ME, nmap will put you in a random position. You can also use RND to generate a random, non-reserved IP address, or RND:<number> to generate <number> addresses.
Option -S <IP_Address> (Spoof source address):
In some circumstances, Nmap may not be able to determine your source address ( Nmap will tell you if this is the case). In this situation, use -S with the IP address of the interface you wish to send packets through.
Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them. Imagine a company being repeatedly port scanned by a competitor! The -e option and -P0 are generally required for this sort of usage. Note that you usually won’t receive reply packets back (they will be addressed to the IP you are spoofing), so Nmap won’t produce useful reports.
Option -e <interface> (Use specified interface):
Tells Nmap what interface to send and receive packets on. Nmap should be able to detect this automatically, but it will tell you if it cannot.
Option –source-port <portnumber>; -g <portnumber> (Spoof source port number):
One surprisingly common misconfiguration is to trust traffic based only on the source port number. It is easy to understand how this comes about. An administrator will set up a shiny new firewall, only to be flooded with complains from ungrateful users whose applications stopped working. In particular, DNS may be broken because the UDP DNS replies from external servers can no longer enter the network. FTP is another common example. In active FTP transfers, the remote server tries to establish a connection back to the client to transfer the requested file.
Secure solutions to these problems exist, often in the form of application-level proxies or protocol-parsing firewall modules. Unfortunately there are also easier, insecure solutions. Noting that DNS replies come from port 53 and active ftp from port 20, many admins have fallen into the trap of simply allowing incoming traffic from those ports. They often assume that no attacker would notice and exploit such firewall holes. In other cases, admins consider this a short-term stop-gap measure until they can implement a more secure solution. Then they forget the security upgrade.
Overworked network administrators are not the only ones to fall into this trap. Numerous products have shipped with these insecure rules. Even Microsoft has been guilty. The IPsec filters that shipped with Windows 2000 and Windows XP contain an implicit rule that allows all TCP or UDP traffic from port 88 (Kerberos). In another well-known case, versions of the Zone Alarm personal firewall up to 2.1.25 allowed any incoming UDP packets with the source port 53 (DNS) or 67 (DHCP).
We selected port 666!!
Option –data-length <number> (Append random data to sent packets):
Normally Nmap sends minimalist packets containing only a header. So its TCP packets are generally 40 bytes and ICMP echo requests are just 28. This option tells Nmap to append the given number of random bytes to most of the packets it sends. OS detection (-O) packets are not affected because accuracy there requires probe consistency, but most pinging and portscan packets support this. It slows things down a little, but can make a scan slightly less conspicuous.
Option –ip-options <S|R [route]|L [route]|T|U … >; –ip-options <hex string> (Send packets with specified ip options):
The IP protocol offers several options which may be placed in packet headers. Unlike the ubiquitous TCP options, IP options are rarely seen due to practicality and security concerns. In fact, many Internet routers block the most dangerous options such as source routing. Yet options can still be useful in some cases for determining and manipulating the network route to target machines. For example, you may be able to use the record route option to determine a path to a target even when more traditional traceroute-style approaches fail. Or if your packets are being dropped by a certain firewall, you may be able to specify a different route with the strict or loose source routing options.
The most powerful way to specify IP options is to simply pass in values as the argument to –ip-options. Precede each hex number with \x then the two digits. You may repeat certain characters by following them with an asterisk and then the number of times you wish them to repeat. For example, \x01\x07\x04\x00*36\x01 is a hex string containing 36 NUL bytes.
Nmap also offers a shortcut mechanism for specifying options. Simply pass the letter R, T, or U to request record-route, record-timestamp, or both options together, respectively. Loose or strict source routing may be specified with an L or S followed by a space and then a space-separated list of IP addresses.
If you wish to see the options in packets sent and received, specify –packet-trace. For more information and examples of using IP options with Nmap, see http://seclists.org/nmap-dev/2006/q3/0052.html.
Option –ttl <value> (Set IP time-to-live field):
Sets the IPv4 time-to-live field in sent packets to the given value.
Option –randomize-hosts (Randomize target host order):
Tells Nmap to shuffle each group of up to 8096 hosts before it scans them. This can make the scans less obvious to various network monitoring systems, especially when you combine it with slow timing options. If you want to randomize over larger group sizes, increase PING_GROUP_SZ in nmap.h and recompile. An alternative solution is to generate the target IP list with a list scan (-sL -n -oN filename), randomize it with a Perl script, then provide the whole list to Nmap with -iL.
Option –spoof-mac <mac address, prefix, or vendor name> (Spoof MAC address):
Asks Nmap to use the given MAC address for all of the raw ethernet frames it sends. This option implies –send-eth to ensure that Nmap actually sends ethernet-level packets. The MAC given can take several formats. If it is simply the string “0”, Nmap chooses a completely random MAC for the session. If the given string is an even number of hex digits (with the pairs optionally separated by a colon), Nmap will use those as the MAC. If less than 12 hex digits are provided, Nmap fills in the remainder of the 6 bytes with random values. If the argument isn’t a 0 or hex string, Nmap looks through nmap-mac-prefixes to find a vendor name containing the given string (it is case insensitive). If a match is found, Nmap uses the vendor’s OUI (3-byte prefix) and fills out the remaining 3 bytes randomly. Valid –spoof-mac argument examples are Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco.
Option –badsum (Send packets with bogus TCP/UDP checksums):
Asks Nmap to use an invalid TCP or UDP checksum for packets sent to target hosts. Since virtually all host IP stacks properly drop these packets, any responses received are likely coming from a firewall or IDS that didn’t bother to verify the checksum. For more details on this technique, see http://www.phrack.org/phrack/60/p60-0x0c.txtHacking Hacking Linux News News Software Review Hacking Tools News Nmap Software Review