Advanced Nmap Techniques

intermediate35 minWriteup

Firewall evasion, timing, and scripting

Learning Objectives

  • Evade firewalls and IDS
  • Optimize scan timing
  • Write custom NSE scripts
  • Perform OS and service detection

You've learned the

. Now let's dive into the deep end - firewall evasion, IDS avoidance, custom scripts, and timing optimization. These techniques separate script kiddies from professionals.

With Great Power...

These techniques can evade security controls. Only use them during authorized penetration tests. Evasion attempts on systems you don't own is illegal and unethical.

Firewall & IDS Evasion

Fragmentation

Split packets into smaller fragments. Some firewalls don't properly reassemble fragments, letting probes through.

bash
1606070;"># Fragment packets into 8-byte chunks
2sudo nmap -f 192.168.1.10
3 
4606070;"># Double fragmentation (16 bytes)
5sudo nmap -f -f 192.168.1.10
6 
7606070;"># Specify MTU (must be multiple of 8)
8sudo nmap --mtu 24 192.168.1.10

Decoys

Make it look like the scan is coming from multiple IP addresses. The real scan hides among the decoys like a criminal in a crowd.

bash
1606070;"># Use decoy addresses
2sudo nmap -D 192.168.1.100,192.168.1.101,ME 192.168.1.10
3 
4606070;"># Random decoys
5sudo nmap -D RND:10 192.168.1.10
6 
7606070;"># ME specifies your real IP position in the list

Decoy Limitations

Decoys only work for scans that don't require responses (like SYN scans). Service detection and OS fingerprinting need real responses and can't effectively use decoys.

Source Port Manipulation

Some firewalls trust traffic from certain ports (53 for DNS, 80 for HTTP). Spoofing your source port can bypass these rules.

bash
1606070;"># Spoof source port as DNS
2sudo nmap --source-port 53 192.168.1.10
3sudo nmap -g 53 192.168.1.10
4 
5606070;"># Common trusted ports to try
6606070;"># 20/21 (FTP data/control)
7606070;"># 53 (DNS)
8606070;"># 67 (DHCP)
9606070;"># 80 (HTTP)
10606070;"># 88 (Kerberos)

IP Spoofing & Proxies

bash
1606070;"># Spoof source IP (won't get responses)
2sudo nmap -S 192.168.1.200 -e eth0 192.168.1.10
3 
4606070;"># Specify outgoing interface
5sudo nmap -e eth0 192.168.1.10
6 
7606070;"># Use idle scan (zombie host)
8sudo nmap -sI zombie_host 192.168.1.10
9 
10606070;"># Proxy scan through SOCKS
11nmap --proxies socks4:606070;">//proxy:1080 192.168.1.10

Idle Scan is Truly Stealthy

Idle scan (-sI) uses a "zombie" host to scan. Your IP never touches the target - packets appear to come from the zombie. Finding a suitable zombie (with predictable IP IDs) is the hard part.

Data Padding & Payload Manipulation

bash
1606070;"># Append random data to packets
2sudo nmap --data-length 50 192.168.1.10
3 
4606070;"># Send packets with bad checksum (tests IDS)
5sudo nmap --badsum 192.168.1.10
6 
7606070;"># Randomize target host order
8sudo nmap --randomize-hosts 192.168.1.0/24

Timing Optimization

Timing Templates Deep Dive

bash
1606070;"># T0 - Paranoid: 5 min between probes, serial scanning
2606070;"># Use case: Evading IDS, very slow networks
3nmap -T0 192.168.1.10
4 
5606070;"># T1 - Sneaky: 15 sec between probes
6606070;"># Use case: IDS evasion with reasonable speed
7nmap -T1 192.168.1.10
8 
9606070;"># T2 - Polite: 400ms between probes
10606070;"># Use case: Reducing network load
11nmap -T2 192.168.1.10
12 
13606070;"># T3 - Normal (default): Parallel scanning, dynamic timing
14nmap -T3 192.168.1.10
15 
16606070;"># T4 - Aggressive: Assumes fast, reliable network
17606070;"># Use case: Lab environments, CTFs
18nmap -T4 192.168.1.10
19 
20606070;"># T5 - Insane: May miss ports, very aggressive
21606070;"># Use case: When speed matters more than accuracy
22nmap -T5 192.168.1.10

Fine-Grained Timing Control

bash
1606070;"># Control scan rate
2nmap --min-rate 1000 192.168.1.10    606070;"># At least 1000 packets/sec
3nmap --max-rate 100 192.168.1.10     606070;"># At most 100 packets/sec
4 
5606070;"># Host timeout
6nmap --host-timeout 30m 192.168.1.10  606070;"># Give up after 30 minutes
7 
8606070;"># Parallel hosts
9nmap --min-hostgroup 50 192.168.1.0/24
10nmap --max-hostgroup 10 192.168.1.0/24
11 
12606070;"># RTT timeouts
13nmap --initial-rtt-timeout 100ms 192.168.1.10
14nmap --max-rtt-timeout 200ms 192.168.1.10
15 
16606070;"># Retries
17nmap --max-retries 2 192.168.1.10
18 
19606070;"># Scan delay
20nmap --scan-delay 500ms 192.168.1.10
21nmap --max-scan-delay 1s 192.168.1.10

Balance Speed and Accuracy

Faster isn't always better. Too aggressive scans miss ports due to packet loss or rate limiting. Start conservative and speed up if results are consistent.

Writing Custom NSE Scripts

NSE scripts are written in Lua. Even simple scripts can be incredibly useful for custom enumeration or vulnerability checks.

Basic Script Structure

lua
1-- Description of what the script does
2description = [[
3Checks for a specific vulnerability in service X.
4]]
5 
6-- Script categories
7categories = {606070;">#a5d6ff;">"safe", "discovery"}
8 
9-- Required libraries
10local http = require 606070;">#a5d6ff;">"http"
11local shortport = require 606070;">#a5d6ff;">"shortport"
12 
13-- When to run (port rule)
14portrule = shortport.http
15 
16-- Main function
17action = function(host, port)
18  local response = http.get(host, port, 606070;">#a5d6ff;">"/vulnerable-endpoint")
19 
20  if response.status == 200 then
21    if string.match(response.body, 606070;">#a5d6ff;">"vulnerable") then
22      return 606070;">#a5d6ff;">"VULNERABLE: Found vulnerability indicator"
23    end
24  end
25 
26  return nil  -- No output if not vulnerable
27end

Script Arguments

bash
1606070;"># Pass arguments to scripts
2nmap --script http-enum --script-args http-enum.basepath=/api/ 192.168.1.10
3 
4606070;"># Multiple arguments
5nmap --script smb-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.10
6 
7606070;"># View script arguments
8nmap --script-help http-enum

Useful Built-in Scripts

bash
1606070;"># Vulnerability scanning
2nmap --script vuln 192.168.1.10
3nmap --script vulners 192.168.1.10
4 
5606070;"># Brute forcing
6nmap --script ssh-brute -p 22 192.168.1.10
7nmap --script ftp-brute -p 21 192.168.1.10
8 
9606070;"># SMB enumeration
10nmap --script smb-enum-shares,smb-enum-users -p 445 192.168.1.10
11nmap --script smb-vuln-* -p 445 192.168.1.10
12 
13606070;"># HTTP enumeration
14nmap --script http-enum,http-vuln-* -p 80,443 192.168.1.10
15 
16606070;"># Database enumeration
17nmap --script mysql-enum,mysql-brute -p 3306 192.168.1.10
18nmap --script ms-sql-info,ms-sql-brute -p 1433 192.168.1.10

Advanced OS Detection

bash
1606070;"># OS detection with version
2sudo nmap -O --osscan-guess 192.168.1.10
3 
4606070;"># Limit OS detection attempts
5sudo nmap -O --max-os-tries 2 192.168.1.10
6 
7606070;"># Verbose OS output
8sudo nmap -O -v 192.168.1.10
9 
10606070;"># Combine with version detection
11sudo nmap -O -sV 192.168.1.10

OS detection accuracy improves with more open and closed ports. If you only see open ports, Nmap struggles to fingerprint accurately.

Output Processing

Parsing Nmap Output

bash
1606070;"># Grepable format parsing
2grep 606070;">#a5d6ff;">"open" scan.gnmap | cut -d " " -f 2 | sort -u
3 
4606070;"># Extract open ports
5grep -oP 606070;">#a5d6ff;">'\d+/open' scan.gnmap | cut -d'/' -f1 | sort -u
6 
7606070;"># XML parsing with xmlstarlet
8xmlstarlet sel -t -v 606070;">#a5d6ff;">"//port[@state='open']/@portid" scan.xml
9 
10606070;"># Convert XML to HTML report
11xsltproc scan.xml -o scan.html
12 
13606070;"># Using nmap-parse-output
14nmap-parse-output scan.xml hosts

Integration with Other Tools

bash
1606070;"># Import to Metasploit
2msfconsole
3db_import scan.xml
4 
5606070;"># Convert to CSV
6nmap -oX - 192.168.1.10 | python nmaptocsv.py
7 
8606070;"># Pipe to other tools
9nmap -p 80,443 --open -oG - 192.168.1.0/24 | \
10  awk 606070;">#a5d6ff;">'/Up$/{print $2}' | \
11  xargs -I {} nikto -h {}

Real-World Scenarios

Scanning Large Networks

bash
1606070;"># Phase 1: Fast discovery
2nmap -sn -T4 10.0.0.0/16 -oG discovery.gnmap
3 
4606070;"># Phase 2: Quick port scan on live hosts
5grep 606070;">#a5d6ff;">"Up" discovery.gnmap | cut -d " " -f 2 | \
6  xargs nmap -T4 -F -oA quick_scan
7 
8606070;"># Phase 3: Full scan on interesting hosts
9nmap -sS -sV -sC -p- -T4 -iL interesting_hosts.txt -oA full_scan

Evading Next-Gen Firewalls

bash
1606070;"># Slow scan from trusted port with fragmentation
2sudo nmap -sS -f --source-port 53 --scan-delay 1s -T2 192.168.1.10
3 
4606070;"># Using multiple evasion techniques
5sudo nmap -sS -f -D RND:5 --source-port 80 --data-length 100 \
6  --randomize-hosts -T2 192.168.1.0/24

Web Application Discovery

bash
1606070;"># Find all web servers
2nmap -p 80,443,8080,8443 --open -sV -oG web.gnmap 192.168.1.0/24
3 
4606070;"># Enumerate web applications
5nmap -p 80,443 --script=http-enum,http-title,http-methods,http-robots.txt \
6  -iL webservers.txt -oA web_enum

Knowledge Check

Quick Quiz
Question 1 of 3

What does packet fragmentation (-f) help evade?

Challenges

Firewall Evasion Lab

Challenge
🔥 intermediate

A firewall is blocking standard Nmap scans. Use at least 3 evasion techniques together to scan through it.

Need a hint? (4 available)

Custom NSE Script

Challenge
💀 advanced

Write a simple NSE script that checks if a web server exposes its .git directory.

Need a hint? (4 available)

Key Takeaways

  • Fragmentation, decoys, and source port spoofing evade simple firewalls
  • Idle scans completely hide your IP using zombie hosts
  • Timing templates range from T0 (paranoid) to T5 (insane)
  • NSE scripts are written in Lua and extend Nmap's capabilities
  • Always balance scan speed with accuracy
  • Combine multiple evasion techniques for best results
  • Save output in multiple formats for different use cases