上QQ阅读APP看书,第一时间看更新
How to detect and bypass network protection systems
The basic function of Nmap is to generate custom packets and analyze their response once they are sent to the remote hosts. This sometimes is not allowed by network protection systems such as firewalls and intrusion prevention and detection systems. In this recipe, we will discuss some of the methods that can be used to bypass these protections:
- -f (Fragment packets): Most firewalls perform stateful and stateless packet inspection for which they examine the content of the packets and decide whether to allow the packet or drop it based on its contents. In order to bypass this, Nmap provides an option to fragment the packets so that the network device will not be able to construct the packet to read the correct contents, thereby bypassing the protection.
- --mtu (Maximum transmission unit specification): This works similar to the preceding method of creating packets of different sizes. With MTU you can specify the packet size in multiples of 8, such as 8, 16, 24, 32, and so on. This will allow Nmap to create packets of this size, thereby bypassing the protection.
- -D (decoy address): This will allow Nmap to generate packets from a decoy address. This will generate similar traffic with multiple source IP addresses, thereby making it difficult for the network protection system to determine the source of traffic generation.
- --source-port (Source port specification): If the network device is configured to disallow traffic generated by Nmap from a specific port, setting a random port number using this option will allow you to bypass this configuration on the network protection system.
- --data-length (Random data append): Using this option, you can add data to the packet generated by Nmap and then create a packet with a lot of unnecessary random data, making it difficult for the network protection system to understand and block the traffic.
- --randomize-hosts (Randomizing hosts): This option will allow Nmap to scan the hosts randomly by generating pattern-less traffic, which could be ignored by the network protection system.
- --spoof-mac (MAC address spoofing): This option will allow the user to bypass any MAC address restriction put in place by the network protection systems.