Firewall & IDS/IPS Evasion
Firewalls and IDS/IPS aim to block or detect unauthorized scanning. Nmap offers evasion techniques such as TCP flag manipulation, packet fragmentation, spoofing, and decoys.
Detecting Firewalls
When ports are filtered, it often indicates packet drops due to firewall rules. Use ACK scanning to bypass SYN filtering and identify firewall behaviour.
ACK Scan (vs SYN):
sudo nmap <target> -p21,22,25 -sS -Pn -n --disable-arp-ping --packet-trace
The above command is known as an SYN scan.
sudo nmap <target> -p21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace
The above command is known as an ACK scan.
Notes:
-
RSTreply on ACK = port is unfiltered (not necessarily open) -
No reply = packet dropped = filtered
Detecting IDS/IPS
IDS logs and alerts; IPS blocks. To test for IPS:
-
Scan from VPS A.
-
If blocked, switch to VPS B.
-
If consistent, IPS likely present.
Decoy Scanning
Hide origin IP with spoofed source addresses.
sudo nmap <target> -p80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5
Tip: Use live IPs as decoys. Dead IPs might trigger SYN flood defenses.
Spoofed Source IP
Bypass subnet restrictions or test firewall behavior.
sudo nmap <target> -p445 -O -n -Pn -S <target> -e tun0
📡 DNS Proxying / Source Port Spoofing
Use trusted DNS port (53) to evade filters.
sudo nmap <target> -p50000 -sS -Pn -n --disable-arp-ping --packet-trace
The above command is known as a normal SYN scan (filtered port).
sudo nmap <target> -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53
The above command is known as an SYN scan from port 53.
ncat -nv --source-port 53 <target> 50000
The above command is known as a manual connection, using the Netcat tool.
Pro Tip: Combine stealth techniques (e.g., decoys + timing + source-port) to evade both firewall rules and detection thresholds of IDS/IPS.