# 4. Scan beyond Firewalls and IDS

Techniques to evade IDS/firewall:

* **Packet Fragmentation**: Send fragmented probe packets to the intended target, which re-assembles it after receiving all the fragments
* **Source Routing**: Specifies the routing path for the malformed packet to reach the intended target
* **Source Port Manipulation**: Manipulate the actual source port with the common source port to evade IDS/firewall
* **IP Address Decoy**: Generate or manually specify IP addresses of the decoys so that the IDS/firewall cannot determine the actual IP address
* **IP Address Spoofing**: Change source IP addresses so that the attack appears to be coming in as someone else
* **Creating Custom Packets**: Send custom packets to scan the intended target beyond the firewalls
* **Randomizing Host Order**: Scan the number of hosts in the target network in a random order to scan the intended target that is lying beyond the firewall
* **Sending Bad Checksums**: Send the packets with bad or bogus TCP/UDP checksums to the intended target
* **Proxy Servers**: Use a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall restrictions
* **Anonymizers**: Use anonymizers that allow them to bypass Internet censors and evade certain IDS and firewall rules

## 1. Various Firewall Evasion techniques with nmap

### Fragmented scan

```
nmap -f 192.168.18.110
```

### Use common source ports

```
nmap -g 80 192.168.18.110
```

It used a common port to send the traffic. So, it evades firewall.

### Sending smaller packets to scan

```
nmap --mtu 8 192.168.18.110
```

it fragments the packets (maximum 8 bytes size)

### Decoy scan

```
nmap -D RND:10 192.168.18.110
```

decoy hides the actual source IP in a number of random IP addresses to hide the actual identity.

### Spoof mac

```
nmap -sT -Pn --spoof-mac 0 192.168.18.110
```

{% hint style="info" %}
-sT  TCP scan

-Pn do not perform host discovery

\--spoof-mac randomize the mac address
{% endhint %}

<figure><img src="/files/t0pZHZj2xbykZbEcTRDK" alt=""><figcaption></figcaption></figure>

## <mark style="color:red;">2. Colasoft packet builder to avoid AV</mark>

{% embed url="<https://www.colasoft.com/packet_builder/>" %}

## <mark style="color:red;">3. Custom packet in Hping3</mark>

```
hping3 --udp --rand-source --data 500 192.168.18.110
```

{% hint style="info" %}
\--data specifies the packet body size
{% endhint %}

```
hping3 -S -p 80 -c 5 192.168.18.110
```

{% hint style="info" %}
-S is for syn scan

-p port number

-c number of packets
{% endhint %}

### Flood/ DDOS with Hping3

```
hping3 192.168.18.110 --flood
```

## <mark style="color:red;">4. Browse anonymously with proxy switcher</mark>

{% embed url="<https://www.proxyswitcher.com/>" %}

## <mark style="color:red;">5.Browse anonymously with cyber Ghost</mark>

{% embed url="<https://www.cyberghostvpn.com/>" %}

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ceh-practical.cavementech.com/module-3.-scanning-networks/4.-scan-beyond-firewalls-and-ids.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.