Evading Firewalls And IDS Using Nmap In Kali Linux

by Sunny Hoi


Nmap provides numerous features to assist in mapping and grasping intricate networks. One of the ideal techniques of understanding network security from the sysadmin or penetration tester’s perspective is the attempt to surmount it. Firewalls can attempt to render the reconnaissance phase and Nmap’s scanning capabilities less efficient for the adversary. In this tutorial, we will be examining the actions from an attacker’s point of view and deploy methods against our pentesting networks. The hacker can evade the firewalls and intrusion detection systems implemented by their adversaries by using several firewall evasion techniques with Nmap as illustrated in this article.

Ultimately, this tutorial serves as a Nmap cheatsheet for evading firewalls and IDS using Nmap commands in Kali Linux.


nmap -f

Proceed by typing the following command into terminal:

nmap -f

The above nmap -f command will run the output in our terminal. Obviously, replace the IP in the example.

The -f command induces our scan to deploy diminutive fragmented IP packets. Specifically, our command utilizes 16 bytes per fragment which diminishes the amount of fragments.

The logic behind our Nmap command is to divide the TCP header above numerous packets to render it increasingly difficult for packet filters, IDS, and additional security irritations.


Nmap -mtu

nmap -mtu (MTU)

The above nmap -mtu command allows us to specify our own offset size. Remember that the offset size has to be a multiple of 8. Hence, we can alter bytes to 8, 16, 32, and etc. FYI, if you’re wondering what the acronym MTU essentially represents, it refers to Maximum Transmission Unit. Thus, our command permits us to choose the desired transmission.


Nmap -d

nmap -D (decoy1),(decoy2) RND:(number)


nmap -D RND(number)

The above -D commands elicit a decoy scan which tricks the remote target host by creating the façade that the decoy host IP addresses we’ve selected as decoys are scanning our target’s network. Hence, our target and their security systems in place such as their IDS will see this scan as having the façade of being scanned from various machines simultaneously. Our decoy RND command permits us good flexibility to produce either a randomized IP address or produce (number) addresses by using RND:(number).

This Nmap command is important for the attacker since our adversary’s IDS could report 10 port scans deriving out of particular IP addresses. Our target won’t be aware which IP address was scanning their network and which were legitimate decoys. Therefore, the culprit actually carrying out the attack will be significantly arduous to pinpoint. Nevertheless, such nmap firewall evasion technique can be beaten using router path tracing and response-dropping. Do keep in mind that since the decoy command transmits numerous packets from various destinations as a batch simultaneously, decoys could transiently transgress congestion control limits. Despite these solutions and pitfalls, the -d nmap command is an excellent way to hide our IP address from our target.


Nmap -sI

Nmap -sl

The above -sl command grants the attacker the option to take advantage of an idle system by employing it to scan our target. Keep in mind that the zombie has to be in an idle state when we are executing the output. The example above, refers to our zombie whereas is our target of course. Clearly, you are not going with the localhost! Thus, align with your own penetration testing objectives.


Nmap –g

nmap –source-port (portnumber)


nmap -g (portnumber)

The above –source-port command will render Nmap transmit packets from our specified port. Using the above -g command will permit us to alter our source port. This is a convenient command as Nmap typically chooses random ports, but these commands render it to utilize a particular port.


Nmap –data-length

nmap –data-length (number)

The above –data-length command instructs Nmap to affix a specified number of random bytes to the majority of the packets it transmits, and refrain from deploying protocol-distinguishing payloads.

Usually, Nmap transmits minimal packets consisting of a mere header. Hence, the TCP packers are commonly 40 bytes, and requests of ICMP echo are simply 28. The command is useful in circumstances where our target could consider a particular size of a packet to accept. The byte can be any size.

We can use nmap –data-length 30 or –datalength 0 for protocol-distinguishing payloads/non-random.


Nmap –randomize-hosts

Nmap –randomize-hosts

The above –randomize-hosts command is deployed to notify Nmap to mix all groups of up to 16384 targets prior to scanning them. Thus, this command is utilized to randomize the order of our target scanning. This may render our scans less apparent to numerous networking monitoring mechanisms, particularly when we integrate it with sluggish timing choices.


Nmap –spoof-mac

nmap -spoof-mac (MAC|0|vendor)


nmap -sT -PN -spoof-mac 0

The above -spoof-mac commands grant us the ability to spoof a MAC address.The first -spoof-mac command above prompts Nmap to deploy the specified MAC address for every raw ethernet frames it transmits. If our specified string consists of an even number of hex digits, the command will employ it as the MAC address. If less than 12 hex digits are supplied, the command occupies the rest of the 6 bytes with random values. The second -spoof-mac command above renders Nmap to select a random MAC address.


Nmap -badsum

nmap -badsum

The above -badsum command induces the deployment of an invalid TCP/UDP/SCTP checksum for packets transmitted to our target. As practically every host IP stack would correctly drop the packets, each response accepted is possibly originating from a firewall or Intrusion Detection System that wasn’t concerned with confirming the checksum.

Related Posts