Hacker Kayra
  • 📍Introduction Page
  • ⭐Learning Process
    • 🧠Learning Mindset
    • 🖇️Learning Dependencies
    • 🧮Learning Process
  • 🔠Fundamentals
    • 🛜Networking Fundamentals
    • 🐧Linux Fundamentals
    • 🪟Windows Fundamentals
    • 🕵️Active Directory
    • 🕸️Introduction to Web Applications
    • 🗃️Other Useful Concepts
      • Regular Expressions (RegEx)
    • Cyber Security Products
      • Lab Setup
      • ✅Fortigate Firewall
      • MDM Lab
      • IAM Lab
      • PAM Lab
      • DLP Lab
  • 🧰Tools
    • Nmap
    • Nessus
    • Ffuf
    • Hydra
    • John The Ripper
  • ✍️Write Ups
    • 🗃️Hack The Box Machines
      • 🐧Linux
        • Code
    • 🗃️Proving Grounds Boxes
      • 🐧Linux
        • Stapler
        • eLection
        • Loly
        • Blogger
        • Potato
        • Amaterasu
        • Exfiltrated
        • Pelican
        • Astronaut
        • Cockpit
        • Levram
        • Extplorer
        • LaVita
        • pc
        • Scrutiny
        • Zipper
        • Flu
        • Twiggy
        • Codo
        • Crane
        • Hub
        • BlackGate
        • Boolean
        • ClamAV
        • PayDay
        • Snookums
        • Bratarina
        • Nibbles
      • 🪟Windows
        • Algernon
        • AuthBy
        • Craft
        • Kevin
        • Squid
        • Jacko
        • DVR4
        • Hepet
        • Shenzi
        • Nickel
        • Slort
        • MedJed
        • Active Directory
          • Access
          • Vault
    • 🪪Certificates
      • Certified Professional Penetration Tester (eCPPTv3)
      • Web Application Penetration Tester eXtreme (eWPTXv3)
    • 🚩CTF Events
      • Cyber Hub 2025 CTF
  • 📚Study Notes
    • Penetration Tester (HTB CPTS)
      • Penetration Testing Process
      • Reconnaissance, Enumeration & Attack Planning
        • Network Enumeration with Nmap (Continue Here)
        • Footprinting (Just Do Formatting)
        • Vulnerability Scanning (Check)
        • File Transfers
        • Using the Metasploit Framework
        • Web Information Gathering
        • Shells & Payloads
      • Exploitation & Lateral Movement
        • Attacking Common Services (Just Do Formatting)
        • Password Attacks
        • Active Directory Enumeration & Attacks (TBC)
        • Pivoting, Tunneling, and Port Forwarding
      • Web Exploitation
        • Using Web Proxies (Check)
        • Attacking Web Applications With Ffuf (Check)
        • Login Bruteforcing
        • Cross-Site Scripting (XSS)
        • Command Injection
        • SQL Injection
        • File Upload Attacks
        • File Inclusion
        • Web Attacks (Check)
        • Attacking Common Applications (Check)
      • Post-Exploitation
        • Linux Privilege Escalation
        • Windows Privilege Escalation (TBC)
      • Documentation & Reporting
  • 🧑‍💻Other
    • Leet Code
      • Quick Guide: Big-O Notation
      • Problem 01 - Two Sum
    • Data Structure & Algorithms (DSA)
  • 🗄️Archive/Backup/Bin
    • Sysmon Usecases (IBM)
    • 🐧Linux Fundamentals (TryHackMe)
      • Introduction
      • Basic Commands
      • Wildcards & Operators
      • Permissions
      • Common Directories
      • Terminal Text Editors
      • General/Useful Utilities
    • 🪟Windows Fundamentals (TryHackMe)
      • Introduction
      • The File System
      • User Accounts
      • Settings & Control Panel & Task Manager
      • System Configuration
    • Active Directory (TryHackMe)
      • Breaching Active Directory
    • FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
      • Book 2 - Intrusion Analysis
        • Credential Theft
        • Event Log Analysis for Responders and Hunters
    • Certified Threat Hunting Professional (eCTHPv2)
      • Threat Hunting: Hunting the Endpoint & Endpoint Analysis
        • Event IDs, Logging, & SIEMs
    • OSCP
      • Report Writing
      • ✅Passive Information Gathering
      • ✅Active Information Gathering
      • ✅Vulnerability Scanning
      • Introduction to Web Application Attacks
      • Common Web Application Attacks
        • ✅Cross-Site Scripting (XSS)
        • ✅Directory Traversal
        • ✅File Inclusion
        • ✅File Upload Vulnerabilities
        • Command Injection
        • SQL Injection Attacks
        • Client Side Attacks
      • ✅Locating Public Exploits
      • ✅Exploiting Walkthrough
      • Fixing Exploits
      • ✅Antivirus Evasion
      • Password Attacks
      • Windows Privilege Escalation
      • Linux Privilege Escalation
      • Port Redirection and SSH Tunneling
      • Tunneling Through Deep Packet Inspection
      • The Metasploit Framework
      • Active Directory Introduction & Enumeration
      • Attacking Active Directory Authentication
      • Lateral Movement in Active Directory
      • Assembling the Pieces
      • Other General Information
    • ⚡Port Swigger (Web Penetration Testing)
      • ✅Information Disclosure
      • ✅Path Traversal (Directory Traversal)
      • ✅OS Command Injection
      • Business Logic Vulnerabilities
      • ✅Authentication
      • ✅Access Control
    • Certified Bug Bounty Hunter (CBBH)
      • Web Requests
        • HTTP Fundamentals
    • Getting Started
      • Introduction
      • Pentesting Basics
    • Certified Penetration Testing Specialist (CPTS)
      • Introduction
        • ✅Penetration Testing Process
          • Penetration Testing Overview
          • Laws & Regulations
          • Penetration Testing Process
          • Pre-Engagement
          • Information Gathering
          • Vulnerability Assessment
          • Exploitation
          • Post-Exploitation
          • Lateral Movement
          • Proof-of-Concept
          • Post-Engagement
          • Practice
          • Academy Module Layout
        • Getting Started with Hack The Box (HTB)
      • Reconnaissance, Enumeration & Attack Planning
        • ✅Network Enumeration with Nmap
          • Enumeration & Introduction to Nmap
          • Host Discovery
          • Host and Port Scanning
          • Saving The Results
          • Service Enumeration
          • Nmap Scripting Engine
          • Scanning Performance
          • Firewall and IDS/IPS Evasion
        • Footprinting
        • ✅Information Gathering - Web Edition
          • Introduction
          • Passive Information Gathering
          • Active Information Gathering
        • Vulnerability Assessment
        • File Transfers
        • Shells & Payloads
        • Using the Metasploit Framework
      • Exploitation & Lateral Movement
        • Password Attacks
        • Attacking Common Services
        • Pivoting, Tunneling, and Port Forwarding
        • Active Directory Enumeration & Attacks
      • Web Exploitation
        • Using Web Proxies
        • ✅Attacking Web Applications with Ffuf
        • ✅Login Brute Forcing
        • SQL Injection Fundamentals
        • SQLMap Essentials
        • Cross-Site Scripting (XSS)
        • File Inclusion
        • File Upload Attacks
        • Command Injections
        • Web Attacks
        • Attacking Common Applications
      • Post-Exploitation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • Reporting & Capstone
        • Documentation & Reporting
        • Attacking Enterprise Networks
    • Old Active Directory
    • Tib3rius Privilege Escalation
      • Linux Privilege Escalation
    • HTB Archived Write-Ups (Check)
      • Irked
      • Nibbles
      • Brainfuck
      • Lame (Check)
    • 📋Cheat Sheets
      • Penetration Testing Cheat Sheet (In Progress)
Powered by GitBook
On this page
  • Introduction
  • Firewalls
  • IDS/IPS
  • Determine Firewalls and Their Rules
  • Detecting IDS/IPS
  • Decoys
  • DNS Proxying
  1. Archive/Backup/Bin
  2. Certified Penetration Testing Specialist (CPTS)
  3. Reconnaissance, Enumeration & Attack Planning
  4. Network Enumeration with Nmap

Firewall and IDS/IPS Evasion

Introduction

  • Nmap gives us many different ways to bypass firewalls rules and IDS/IPS.

  • These methods include the fragmentation of packets, the use of decoys, and others.

Firewalls

  • A firewall is a security measure against unauthorized connection attempts from external networks.

  • Every firewall security system is based on a software component that monitors network traffic between the firewall and incoming data connections and decides how to handle the connection based on the rules that have been set.

IDS/IPS

  • The intrusion detection system (IDS) and intrusion prevention system (IPS) are also software-based components.

  • IDS scans the network for potential attacks, analyzes them, and reports any detected attacks.

  • IPS complements IDS by taking specific defensive measures if a potential attack should have been detected.

  • The analysis of such attacks is based on pattern matching and signatures. If specific patterns are detected, such as a service detection scan, IPS may prevent the pending connection attempts.

Determine Firewalls and Their Rules

  • When a port is shown as filtered, it can have several reasons. In most cases, firewalls have certain rules set to handle specific connections. The packets can either be dropped, or rejected.

  • The dropped packets are ignored, and no response is returned from the host.

  • This is different for rejected packets that are returned with an RST flag. These packets contain different types of ICMP error codes or contain nothing at all.

  • Such errors can be:

    • Net Unreachable

    • Net Prohibited

    • Host Unreachable

    • Host Prohibited

    • Port Unreachable

    • Proto Unreachable

  • Nmap's TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag.

  • Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

Detecting IDS/IPS

  • Unlike firewalls and their rules, the detection of IDS/IPS systems is much more difficult because these are passive traffic monitoring systems.

  • IDS systems examine all connections between hosts. If the IDS finds packets containing the defined contents or specifications, the administrator is notified and takes appropriate action in the worst case.

  • IPS systems take measures configured by the administrator independently to prevent potential attacks automatically.

  • It is essential to know that IDS and IPS are different applications and that IPS serves as a complement to IDS.

  • Several virtual private servers (VPS) with different IP addresses are recommended to determine whether such systems are on the target network during a penetration test.

  • If the administrator detects such a potential attack on the target network, the first step is to block the IP address from which the potential attack comes. As a result, we will no longer be able to access the network using that IP address.

  • One method to determine whether such IPS system is present in the target network is to scan from a single host (VPS). If at any time this host is blocked and has no access to the target network, we know that the administrator has taken some security measures. Accordingly, we can continue our penetration test with another VPS. Consequently, we know that we need to be quieter with our scans and, in the best case, disguise all interactions with the target network and its services.

Decoys

  • There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS should block us. For this reason, the Decoy scanning method (-D) is the right choice.

  • With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent.

  • With this method, we can generate random (RND) a specific number (for example: 5) of IP addresses separated by a colon (:). Our real IP address is then randomly placed between the generated IP addresses.

  • Example: sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

  • The spoofed packets are often filtered out by ISPs and routers, even though they come from the same network range.

  • We can also manually specify the source IP address (-S) to test if we get better results with this one.

  • Example (-e is used to specify the interface that the packets are going to go through): sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

DNS Proxying

  • By default, Nmap performs a reverse DNS resolution unless otherwise specified to find more important information about our target.

  • These DNS queries are also passed in most cases because the given web server is supposed to be found and visited.

  • The DNS queries are made over the UDP port 53. The TCP port 53 was previously only used for the so-called "Zone transfers" between the DNS servers or data transfer larger than 512 bytes (More and more, this is changing due to IPv6 and DNSSEC expansions. These changes cause many DNS requests to be made via TCP port 53.)

  • However, Nmap still gives us a way to specify DNS servers ourselves (--dns-server <Name Server> <Name Server>). This method could be fundamental to us if we are in a demilitarized zone (DMZ).

  • The company's DNS servers are usually more trusted than those from the Internet. So, for example, we could use them to interact with the hosts of the internal network.

  • As another example, we can use TCP port 53 as a source port (--source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.

  • Example (-n disables DNS resolution): sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

PreviousScanning PerformanceNextFootprinting

Last updated 3 months ago

🗄️
✅