Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Fzuckerman©
https://fzuckerman.wordpress.com/2016/10/03/how-to-evade-web-application-firewall-and-ips-using-nmap/ 1/3
05/12/2018 How to evade Web Application Firewall and IPS using NMAP | Fzuckerman©
Note : We will using our KALI Linux (a acker machine) and Vulnerable_VM (OWASP-bwa server –
target machine) in this tutorial. Start both virtual machines that we setup for our Penetration testing.
For more details refer to tutorial : Se ing up own penetration testing Lab
(h p://www.pentestingexperts.com/se ing-up-your-own-penetration-testing-lab/).
Nmap support multiple scan types like Connect Scan(by default), ACK Scan,TCP scan, UDP scan etc..
ACK Scan is used to bypass rules on some routers that only allow SYN packets from internal
networks, thus blocking default connect scan. These routers will only allow internal clients to
make connection through the router and will block all packets originating from the external network
with a SYN bit set. When the ACK scan option is invoked with the –sA flag, Nmap generates the
packet with only ACK bit set; fooling the router into believing that the packet was a response to
a connection made by an internal client and allows the packet through it. The ACK scan option
cannot tell state of the port i.e. whether a port at the target system is open or closed. But it can very
well tell that response is filtered or unfiltered; hence it can be used to identify online systems behind
the router.
We can run ACK scan in NMAP as follows. Open Kali Linux and issue the below command in
terminal to run ACK scan :
We can very well see that our Vulnerable_VM server is not filtering any port.
Hardcoding source ports in firewalls is called bad configuration and it can help a ackers to easily
evade firewall by pu ing almost negligible efforts. Many Firewall administrators configure firewalls
with rules allowing incoming traffic from outside world that originate from specific ports like
80(h p) ,443(h ps) ,53(DNS) ,25(telnet) etc.
We can easily configure custom ports in NMAP and push traffic from a specific source port (using
option –source-port <n>) to evade or bypass this type of configuration. You can do by running below
command in Kali Linux terminal :
Above command is forcing NMAP to originate traffic from source port 53 and send it to port 80.
https://fzuckerman.wordpress.com/2016/10/03/how-to-evade-web-application-firewall-and-ips-using-nmap/ 2/3
05/12/2018 How to evade Web Application Firewall and IPS using NMAP | Fzuckerman©
Most firewall administrators are aware about NMAP and other Port Scanners. NMAP and other port
scanners sends packets of specific size by default. So most firewall admins have configured firewall
rules to filter out these packets. In order to evade or bypass this type of detection, we can easily
configure NMAP to send custom packets using inbuilt parameter called –data-length in NMAP.
Below is sample command that can be issued in terminal to evade such restrictions :
Above command basically send 40 byte packets to target server instead on standard data packets.
This is another tricky way to evade firewalls which have rules configured in target server to allow
only network packets from specific MAC addresses only. We can easily spoof MAC address using
NMAP by using command –spoof-mac.
Hope you all have enjoyed different ways to evade web application firewall and IPS using NMAP.
https://fzuckerman.wordpress.com/2016/10/03/how-to-evade-web-application-firewall-and-ips-using-nmap/ 3/3