Open in app

Sign in

Write

Sign in

Scan networks using Nmap |Nmap detailed Tutorial|Bypass firewall using Nmap |stealth scan

FreakyDodo
7 min readJun 2, 2021

--

Hey hackers!!!

We have already discussed about basic commands on Nmap and also the cheat sheet for Nmap, which I believe helped you for performing scans on networks, today we are going to discuss about some more Nmap commands, such as Stealth scan , OS detection, Zombie scan, Bypassing Firewall Commands and many more.

Before we begin with Scanning network if you want to host your own website, whether it is for projects, business at the minimal amount BlueHost provides Hosting Only for $3/month.

TCP Connect Scan

First scan we will look is TCP scan , this scan is often considered the most basic and stable of all the port scans because it actually completes the three way handshake and then tears down the connection gracefully.

nmap -sT 192.168.1.3

However, we have discussed this command prior , but for better understanding i have also made use of Wireshark to record the behavior of the packets.

You can see from above wireshark output that it actually completed Three Way handshake.

TCP SYN Scan

The SYN scan is arguably the most popular Nmap port scan.As is the the default Nmap scanning technique i.e even if you don’t specify the “-s” switch, Nmap will use the SYN scan by default.

SYN scan is faster than TCP scan .

nmap -sS 192.168.1.3

As you can se that i have also made use of “-p” switch which allows you to scan a specific port.(2869 in this case , which is intentionally left open).

Below is the wireshark output for the same.

NULL ,FIN and XMAS Scan

NULL,FIN and XMAS scans are similar to each other .The major advantage of using these scans for pentest is that many times they get pass through firewall and IDS and can be really beneficial against Unix-based OS as all three of these scans do not work against Windows OS.

NULL Scan

A NULL scan is accomplished by sending no flags inside the TCP header .If no response comes, it means that the port is open ,if RST packet is received, it means that the port is closed or filtered.

To perform NULL scan type below command :

nmap -sN 192.168.1.3

FIN Scan

A FIN flag is used to close a currently open session.In a FIN scan the sender sends a FIN flag to the target machine.If no response comes from the target machine , it means that the port is open ,if the target responds with RST packet , it means that the port is closed.

To perform FIN scan type below command:

nmap -sF 192.168.1.3

XMAS Scan

The XMAS Scan sends a combination of FIN,URG and PUSH flags to the destination.

The working of XMAS scan is just like FIN and NULL scan.if no response than the port is open and id RST packet is received than the port is closed .

Command to perform XMAS Scan:

nmap -sX 192.168.1.3

TCP ACK Scan

The ACK scan is not used for port scanning purpose .It is commonly used to determine the firewall and ACL rules (access list) and whether the firewall is able to keep track of connection that are being made.

IT sends an ACK packet ,if no response , this means firewall is stateful and filtering your packets .

If you receive RST packet , it means that the packet reached the destination.

TO perform ACK scan type :

nmap -sA 192.168.1.3

Zombie Scan / IDLE Scan

The IDLE scan is a very effective and stealthy scanning technique.The idea behind the IDLE scan is to introduce a zombie scan to scan another host. This technique is stealthy because the victim host would receive packets from the zombie host and not the attacker host.

However there are some prerequisites for launching this scan which are :

  1. Finding a good candidate whose IP ID sequence is incremental and recording its IP ID.
  2. The host should be IDLE on the network.

To find a good candidate for a zombie host you can use Hping2 or metasploit.

Type following command in Hping2 to find a candidate :

hping2 -S -r 192.168.1.4

You can also use metasploit auxiliary module for figuring out a good candidate for zombie.

Type “ msfconsole ” to fire up metasploit and then type the below command:

use auxiliary/scanner/ip/ipidseq

Next, you need to set the RHOSTS value, you can either specify a range or single host :

set RHOST 192.168.1.4 <IP of Candidate>

Finally, you need to issue the “ run ” command in order to finish the process.

In the above output the IPID sequence class is “ Randomized” it means that it is not a good candidate for being a Zombie it should have ” Incremental “.

Once you have a candidate, you are all set to scan network with a zombie, type the following command :

nmap -sI <Zombie Address> <Target Ip address>

Service Version Detection

So,until now we discussed how to figure out the services that are running on a certain port.In this section,we will learn to use nmap to find the exact version of the service running on a port .

To do so type :

nmap -sV 192.168.1.3

As you can see from above output the version of Http service is 2.0.

OS Detection

Nmap has huge OS fingerprinting database with more than 2600 OS fingerprints .

It sends TCP and UDP packets to the target machine, and the response that is received is compared with the database .It the fingerprint matches , it displays the results.

Command:

nmap -O 192.168.1.3

The output looks like :

The service version detection and os detection commands are noisy and can be detected by firewalls and IDS .

you can try “-A” switch instead to perform stealth scan.

Bypassing Firewall/IDS Techniques

The techniques that we have discussed here are very loud in nature and are often detected by firewalls and ID’s.Even scan techiques such as XMAS,NULL etc are not so accurate, also they do not work on windows OS , so they have limited advantage.

There are variety of techniques that could be use to bypass firewalls and IDS.

Fragmented Packets

During this we split the packets into small chunks making it harder for IDS and firewalls to detect. They can bypass through the IDS ,cause IDS would analyze a single fragment but not all the packets .

Command:

nmap -f 192.168.1.3

here is the wireshark output of the same:

However ,many modern IDS can rebuild the packets into single packet , making them detectable.

Specifying an MTU

MTU stands for Maximum Transmission Unit.The values that can be defined as MTU are multiple of 8 . Nmap allows us to specify our own MTU. Based on you input, nmap will generate the packets.

for eg.if you specify 8 nmap will generate 8 byte packet.

Review the wireshark output it only transmitted the 8 byte packet to my target.

Sending Bad Checksums

Checksums are used in TCP header for error detection. However, we can use incorrect checksums to our advantage.By sending bad/incorrect checksums, we can bypass some firewalls depending upon the rule sets and how they are configured.

To do so type the following command:

nmap -badsum 192.168.1.3

Decoys

This is the last method that we will discuss .It is very effective when you want to use stealth .The idea behind this scan is to send spoofed packets from other hosts ,which would make it very difficult for network admin to detect from which host the scan originated.

Note:Since the Decoy has the potential to generate a very large number of packets , it could cause a possible DOS.

Command:

nmap -D RND:10 192.168.1.3

We have discussed pretty much everything that you need that can help you to get started with Nmap but if you are interested in learning more about different type of scanning and envasion techniques stay tooned we will discuss about more in our upcoming blogs.

Keep Coming for more!!!

Follow me for more such informative blogs.

Thank you.

Ethical Hacking
Cybersecurity
Harshitdodia653
Scriptkkiddie
Nmap

--

--

FreakyDodo
FreakyDodo

Written by FreakyDodo

142 Followers
4 Following

Hey Hackers !! I am Harshit Dodia aka Freaky Dodo , I am a student of Information Technology and Ethical hacking.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams