Mastering Network Discovery with Nmap
Network scanning is the first step in active reconnaissance. While standard scans like nmap -sS target work in open environments, corporate firewalls and Intrusion Detection Systems (IDS) will block or alert on these scans.
1. Syn Stealth Scan (-sS) vs Connect Scan (-sT)
A SYN scan is the default and most popular scan. It is referred to as "half-open" scanning because it doesn't complete the full TCP 3-way handshake. It sends a SYN packet, waits for a SYN-ACK, and immediately resets the connection (RST). Connect scanning, on the other hand, completes the connection and leaves logs in the application layer.
2. Firewall Evasion Techniques
Here are the key commands to slip past standard firewall filters:
- Fragmenting Packets (-f): Splits the TCP header into several packets, making it harder for packet filters to examine.
- Decoys (-D): Blends your scan with decoys to mask your IP. E.g.,
nmap -D RND:10 targetgenerates 10 random decoy IP addresses alongside yours. - Source Port Spoofing (--source-port): Firewalls are often configured to allow traffic from specific ports like 53 (DNS) or 80 (HTTP). Spoofing your source port to 53 can bypass poorly configured filters.
# Scan targeting DNS source port and using decoys
nmap -sS -PN -f --source-port 53 -D 192.168.1.5,192.168.1.6 targetWarning
Only perform scans against networks you own or have explicit, written authorization to test. Unauthorized port scanning is illegal in many jurisdictions.
Comments Feed (0)
Participate in technical discussions. Keep communications professional.