1
00:00:00,150 --> 00:00:07,500
So in these Nmap lectures, we have seen no port scan also known as ping scan, different ways of scanning

2
00:00:07,500 --> 00:00:18,540
ports, SYN scan, also known as halfopen scanning, TCP scan, also known as TCP connect scan, UDP scan,

3
00:00:18,540 --> 00:00:24,930
Service and Version detection, Operating System detection and Nmap Scripting Engine in detail.

4
00:00:24,930 --> 00:00:31,380
Now let's see how we can cope with network security devices such as firewalls or packet filtering.

5
00:00:31,460 --> 00:00:37,160
You with me, you will always face some security measures in your penetration test.

6
00:00:37,200 --> 00:00:38,080
They will got you,

7
00:00:38,090 --> 00:00:44,760
drop your packets or reply some fake responses so you have to find those measures and bypass them and

8
00:00:44,760 --> 00:00:50,900
to go on. Network obstructions such as firewalls can make mapping a network exceedingly difficult.

9
00:00:52,010 --> 00:00:57,620
It will not get any easier as stifling casual reconnaissance is often a key goal of implementing the

10
00:00:57,620 --> 00:01:05,390
devices. Nevertheless Nmap offers many features to help understand these complex networks and verify

11
00:01:05,390 --> 00:01:08,170
that the filters are working as intended.

12
00:01:08,180 --> 00:01:13,110
It even supports mechanisms for bypassing poorly implemented defenses.

13
00:01:13,160 --> 00:01:19,290
One of the best methods of understanding your network security posture is to try to defeat it.

14
00:01:19,540 --> 00:01:25,810
In addition to restricting network activity companies are increasingly monitoring traffic with intrusion

15
00:01:25,810 --> 00:01:31,450
detection systems or IDS. All of the major IDSs

16
00:01:31,500 --> 00:01:39,620
ship with rules designed to detect and Nmap scans. Because scans are sometimes a precursor to attacks.

17
00:01:39,810 --> 00:01:47,610
Many of these products have recently morphed into intrusion prevention systems, IPSs, that actively block

18
00:01:47,610 --> 00:01:50,070
traffic deemed malicious.

19
00:01:50,100 --> 00:01:56,940
Unfortunately for network administrators and IDS vendors, reliably detecting bad intentions by analyzing

20
00:01:56,940 --> 00:02:05,820
packet data is a tough problem. Attackers with patience, skill and the help of certain Nmap options

21
00:02:05,820 --> 00:02:09,740
can usually pass by IDSs undetected.

22
00:02:10,139 --> 00:02:15,960
Meanwhile administrators must cope with large numbers of false positive results where innocent activities

23
00:02:16,020 --> 00:02:24,910
misdiagnosed and alerted on or blocked so there's no magic bullet for detecting and bypassing firewalls and IDS

24
00:02:24,980 --> 00:02:26,450
systems.

25
00:02:26,500 --> 00:02:29,150
It takes skill and experience.

26
00:02:29,170 --> 00:02:37,210
So here I'm going to show you a few methods to bypass or detect the IDS and IPS devices.

27
00:02:38,410 --> 00:02:45,240
Although timing techniques are used to improve scan times, they're also very good at being invisible

28
00:02:45,240 --> 00:02:48,520
against a network security devices such as firewalls or IDS s and IPSs.

29
00:02:48,550 --> 00:02:53,150
We'll see the timing techniques in detail.

30
00:02:53,160 --> 00:03:01,580
But let's see the other techniques to bypass security measures. The -f option causes the requested scan

31
00:03:01,580 --> 00:03:04,340
to use tiny fragmented IP packets.

32
00:03:04,340 --> 00:03:10,730
The idea here is to split up the TCP header over several packets to make it harder for packet filters,

33
00:03:10,820 --> 00:03:16,480
intrusion detection systems and other annoyances to detect what you are doing.

34
00:03:16,490 --> 00:03:22,470
Specify this option once and Nmap splits the packets into 8 bytes or less

35
00:03:22,670 --> 00:03:24,250
after the IP header.

36
00:03:24,560 --> 00:03:28,430
So a 20 byte TCP header would be split into three packets.

37
00:03:28,730 --> 00:03:36,770
So be careful with this some programs have trouble handling these tiny packets. Fragmentation is only

38
00:03:36,770 --> 00:03:46,040
supported for Nmaps raw packet features which include TCP and UDP port scans and OS detection features

39
00:03:46,040 --> 00:03:51,860
such as version detection and the unmap scripting engine generally don't support fragmentation because

40
00:03:51,860 --> 00:03:57,170
they rely on your hosts TCP stack to communicate with target services.

41
00:03:58,180 --> 00:04:03,400
Using well-known ports as a source port to the packets that will send is another technique to bypass

42
00:04:03,400 --> 00:04:11,440
firewalls. To trust traffic based only on the source port number is one surprisingly common misconfiguration.

43
00:04:12,240 --> 00:04:14,760
It's easy to understand how this comes about,

44
00:04:14,860 --> 00:04:20,170
an administrator will set up a shiny new firewall only to be flooded with complaints from ungrateful

45
00:04:20,170 --> 00:04:27,220
users whose applications stopped working. In particular DNS may be broken because the UDP DNS replies

46
00:04:27,220 --> 00:04:30,370
from external servers can no longer enter the network.

47
00:04:31,460 --> 00:04:39,790
Here Nmap offers the source port option to exploit this weakness. Simply provide a port number and

48
00:04:39,940 --> 00:04:48,230
Nmap will send packets from that port where possible. --randomise-hosts tells Nmap to shuffle

49
00:04:48,230 --> 00:04:51,290
each group of hosts before it scans them.

50
00:04:51,460 --> 00:04:58,070
This can make the scans less obvious to various network monitoring systems, especially when you combine

51
00:04:58,070 --> 00:05:00,610
it with slow timing option.

52
00:05:00,700 --> 00:05:06,070
You can use the  -S to spoof the scan to make the targets think that someone else is scanning

53
00:05:06,070 --> 00:05:06,910
them.

54
00:05:06,910 --> 00:05:10,420
Note that you won't usually receive reply packets back.

55
00:05:10,420 --> 00:05:12,370
They will be addressed to the IP

56
00:05:12,400 --> 00:05:18,440
you are spoofing. So nMap won't produce useful reports.

57
00:05:18,440 --> 00:05:22,950
You can also use some techniques to understand the existence of the security measures.

58
00:05:22,970 --> 00:05:29,330
The first technique is to analyze the TTL the time to live values of the incoming packets.

59
00:05:29,450 --> 00:05:35,810
The TTL values of the packets coming from the destination systems may differ from the TTL values of

60
00:05:35,810 --> 00:05:43,110
the packets coming from a network security device. So find incoming packets which result two different

61
00:05:43,110 --> 00:05:47,350
results and analyze their TTL values.

62
00:05:48,430 --> 00:05:56,420
--badsum option asks Nmap to use an invalid TCP or UDP checksum for packets sent to target hosts.

63
00:05:56,590 --> 00:06:03,130
Since virtually all host IP stacks properly drop these packets any responses received are likely coming

64
00:06:03,130 --> 00:06:04,380
from a firewall or IDS

65
00:06:04,390 --> 00:06:07,030
that didn't bother to verify the checksum