Firewall/IDS Evasion
2.4. Firewall/IDS Evasion
May of the techniques studied this far, could be detected and blocked by either firewalls or IDS's on the target network. This causes 2 main issues:
Becoming exposed
Obtaining incorrect results
During the host discovery and scan phase, a number of Firewall/IDS evasion techniques must be applied if stealth is a requirement.
Tools like nmap offer options that can be used for this purpose, however, it is important to know that subverting IDS and firewall systems takes both skills and experience.
We will see some of these techniques:
Fragmentation
Decoys
Timing
Source ports
2.4.1. Fragmentation
Caution: modern IDS's are able to rebuild fragmented packets, therefore, often times rendering this technique ineffective.
Nmap command:
Description:
-sSexecutes a SYN scan-ftells it to fragment packets
Note that fragmentation does not work very well in this type of scan:
-sT(TCP connect() scan)-sV(Version detection)
Notice that instead of using -f, we can use --mtu to specify a custom offset size. It is important to know that the offset must be a multiple of 8.
2.4.2. Decoys
The aim of using decoys is to add noise to the IDS by sending scans from spoofed IP addresses. As a result, a list of forged IPs (decoys) will appear on the IDS, along with the real attacker IP. This confuses the analyst watching the system, making it harder to identify the actual attacker.
In order to work, a decoy attack requires the following:
All decoys are up and running (otherwise, it is easy to determine the real attacker's IP)
The real IP address should appear in random order to the IDS (otherwise it is easy to infer the real attacker's IP)
ISPs traversed by spoofed traffic let the traffic go through
Using this technique, you IP will appear in the IDS alert list. However, it will be among all the decoy IP addresses. It is because of this that it will be more difficult to determine the actual system that initiated the real scan.
We can execute this scan with nmap, using the option -D (no spaces between IP and commas):
Description:
MEkeyword is used to define the position of our real IP addresses among the decoys. If it is not specified, nmap will but you IP in a random position.
You cannot use the Decoy attack with -sT and -sV scans (these use full connect scan).
2.4.3. Timing
The only purpose of timing attack is to slow down the scan in order to blend with other traffic in the logs of the Firewall/IDS. It does not modify the package whatsoever.
You can define the interval between 2 scan probes, thus decreasing the chances to being noticed.
In nmap manual, this technique is not listed in the Firewall/IDS evasion and spoofing section, they are listed in the timing and performance section.
To perform a timing scan with nmap we can use the -T option in this way:
The following table explain differences between the 5 timing options:
Option | Template | Time |
| Paranoid | 5 min |
| Sneaky | 15 sec |
| Polite | 0.4 sec |
| Normal | default |
| Aggressive | 10 msec |
| Insane | 5 msec |
You can also add -p [port1],[port2],[port3] to specify which port to scan.
2.4.4. Source ports
Although this method is very simple, it can be used to abuse poorly configured firewall that allow traffic coming from certain ports.
For example, a firewall may allow only the traffic coming from specific ports, such as 53 (DNS replies) or 20 (active FTP). We can then simply change our source port in order to bypass this restriction.
Nmap allows us to fixate the source port during scans like -sS and -sU. To use this feature, we can simply leverage one of the following 2 options:
--source-port [portnumber]-g [portnumber]
With the following command we run a TCP SYN scan and all the communications will be sent from port 53:
These are just a few techniques that an attacker can use to evade Firewall/IDs detection.
You can learn more about nmap options from their online manual.
Last updated