05/12/2018 How to evade Web Application Firewall and IPS using NMAP | Fzuckerman©

SECURITY & HACKING

Fzuckerman©

How to evade Web Application Firewall and IPS

using NMAP

3 de October de 2016 by fzuckerman

In our previous NMAP tutorial, we have seen how to identify web application firewall using NMAP
(h p://www.pentestingexperts.com/how-to-identify-web-application-firewall-using-nmap/). Today
we will learn how to evade web application firewall and IPS using NMAP. NMAP provides lot of
options that help in bypassing or evading firewalls when scanning for targets. We will see multiple
different ways of evading web application firewall and IPS using NMAP.

Bypass or Evade Web Application firewall using NMAP

Ways to Evade Web Application Firewall and IPS using

NMAP:

https://fzuckerman.wordpress.com/2016/10/03/how-to-evade-web-application-firewall-and-ips-using-nmap/ 1/3
05/12/2018 How to evade Web Application Firewall and IPS using NMAP | Fzuckerman©

Note : We will using our KALI Linux (a acker machine) and Vulnerable_VM (OWASP-bwa server –
target machine) in this tutorial. Start both virtual machines that we setup for our Penetration testing.
For more details refer to tutorial : Se ing up own penetration testing Lab
(h p://www.pentestingexperts.com/se ing-up-your-own-penetration-testing-lab/).

Evading WAF/IPS Using ACK Scan :

Nmap support multiple scan types like Connect Scan(by default), ACK Scan,TCP scan, UDP scan etc..
ACK Scan is used to bypass rules on some routers that only allow SYN packets from internal
networks, thus blocking default connect scan. These routers will only allow internal clients to
make connection through the router and will block all packets originating from the external network
with a SYN bit set. When the ACK scan option is invoked with the –sA flag, Nmap generates the
packet with only ACK bit set; fooling the router into believing that the packet was a response to
a connection made by an internal client and allows the packet through it. The ACK scan option
cannot tell state of the port i.e. whether a port at the target system is open or closed. But it can very
well tell that response is filtered or unfiltered; hence it can be used to identify online systems behind
the router.

We can run ACK scan in NMAP as follows. Open Kali Linux and issue the below command in
terminal to run ACK scan :

nmap -sA 192.168.56.102

Evade Web application firewall using NMAP ACK scan

Evade Web application firewall using NMAP ACK scan

We can very well see that our Vulnerable_VM server is not filtering any port.

Hardcoded originating ports in Firwall Rules :

Hardcoding source ports in firewalls is called bad configuration and it can help a ackers to easily
evade firewall by pu ing almost negligible efforts. Many Firewall administrators configure firewalls
with rules allowing incoming traffic from outside world that originate from specific ports like
80(h p) ,443(h ps) ,53(DNS) ,25(telnet) etc.

We can easily configure custom ports in NMAP and push traffic from a specific source port (using
option –source-port <n>) to evade or bypass this type of configuration. You can do by running below
command in Kali Linux terminal :

nmap 192.168.56.102 -p 80 –source-port 53

Bypassing WAF by specifying source port in NMAP

Bypassing WAF by specifying source port in NMAP

Above command is forcing NMAP to originate traffic from source port 53 and send it to port 80.

https://fzuckerman.wordpress.com/2016/10/03/how-to-evade-web-application-firewall-and-ips-using-nmap/ 2/3
05/12/2018 How to evade Web Application Firewall and IPS using NMAP | Fzuckerman©

Evading Firewalls by sending Custom size Packets :

Most firewall administrators are aware about NMAP and other Port Scanners. NMAP and other port
scanners sends packets of specific size by default. So most firewall admins have configured firewall
rules to filter out these packets. In order to evade or bypass this type of detection, we can easily
configure NMAP to send custom packets using inbuilt parameter called –data-length in NMAP.

Below is sample command that can be issued in terminal to evade such restrictions :

nmap 192.168.56.102 -p 80 –data-length 40

Evading firewall by sending custom Packets

Evading firewall by sending custom Packets

Above command basically send 40 byte packets to target server instead on standard data packets.

Bypassing Firewall by spoofing MAC Address in NMAP :

This is another tricky way to evade firewalls which have rules configured in target server to allow
only network packets from specific MAC addresses only. We can easily spoof MAC address using
NMAP by using command –spoof-mac.

Below is sample to evade firewall by spoofing mac address :

nmap -sT –spoof-mac CISCO 192.168.56.102 -p 80

Bypassing WAF by spoofing mac address

Bypassing WAF by spoofing mac address

That’s it for today !!

Hope you all have enjoyed different ways to evade web application firewall and IPS using NMAP.

Bookmark the permalink.

https://fzuckerman.wordpress.com/2016/10/03/how-to-evade-web-application-firewall-and-ips-using-nmap/ 3/3