# 4. Scan beyond Firewalls and IDS

Techniques to evade IDS/firewall:

* **Packet Fragmentation**: Send fragmented probe packets to the intended target, which re-assembles it after receiving all the fragments
* **Source Routing**: Specifies the routing path for the malformed packet to reach the intended target
* **Source Port Manipulation**: Manipulate the actual source port with the common source port to evade IDS/firewall
* **IP Address Decoy**: Generate or manually specify IP addresses of the decoys so that the IDS/firewall cannot determine the actual IP address
* **IP Address Spoofing**: Change source IP addresses so that the attack appears to be coming in as someone else
* **Creating Custom Packets**: Send custom packets to scan the intended target beyond the firewalls
* **Randomizing Host Order**: Scan the number of hosts in the target network in a random order to scan the intended target that is lying beyond the firewall
* **Sending Bad Checksums**: Send the packets with bad or bogus TCP/UDP checksums to the intended target
* **Proxy Servers**: Use a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall restrictions
* **Anonymizers**: Use anonymizers that allow them to bypass Internet censors and evade certain IDS and firewall rules

## 1. Various Firewall Evasion techniques with nmap

### Fragmented scan

```
nmap -f 192.168.18.110
```

### Use common source ports

```
nmap -g 80 192.168.18.110
```

It used a common port to send the traffic. So, it evades firewall.

### Sending smaller packets to scan

```
nmap --mtu 8 192.168.18.110
```

it fragments the packets (maximum 8 bytes size)

### Decoy scan

```
nmap -D RND:10 192.168.18.110
```

decoy hides the actual source IP in a number of random IP addresses to hide the actual identity.

### Spoof mac

```
nmap -sT -Pn --spoof-mac 0 192.168.18.110
```

{% hint style="info" %}
-sT  TCP scan

-Pn do not perform host discovery

\--spoof-mac randomize the mac address
{% endhint %}

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2Fp0lXqVaDQeEJKecwyhY0%2Fimage.png?alt=media&#x26;token=bfdbdd30-1f7c-4f89-8abe-7cd133f50e87" alt=""><figcaption></figcaption></figure>

## <mark style="color:red;">2. Colasoft packet builder to avoid AV</mark>

{% embed url="<https://www.colasoft.com/packet_builder/>" %}

## <mark style="color:red;">3. Custom packet in Hping3</mark>

```
hping3 --udp --rand-source --data 500 192.168.18.110
```

{% hint style="info" %}
\--data specifies the packet body size
{% endhint %}

```
hping3 -S -p 80 -c 5 192.168.18.110
```

{% hint style="info" %}
-S is for syn scan

-p port number

-c number of packets
{% endhint %}

### Flood/ DDOS with Hping3

```
hping3 192.168.18.110 --flood
```

## <mark style="color:red;">4. Browse anonymously with proxy switcher</mark>

{% embed url="<https://www.proxyswitcher.com/>" %}

## <mark style="color:red;">5.Browse anonymously with cyber Ghost</mark>

{% embed url="<https://www.cyberghostvpn.com/>" %}

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}