Task 4: Create Custom Packets using Nmap to Scan beyond IDS/Firewall

 

Task 4: Create Custom Packets using Nmap to Scan beyond IDS/Firewall




Module 03: Scanning Networks

Task 4: Create Custom Packets using Nmap to Scan beyond IDS/Firewall

scan past firewall 
scan past IDS

open zenmap
nmap [Target IP Address] --data 0xdeadbeef
Nmap uses --data [hex string] (here, 0xdeadbeef) to send the binary data (o’s and 1’s) as payloads in the sent packets to scan beyond firewalls.
nmap [Target IP Address] --data-string “Ph34r my l33t skills” 
Nmap uses --data-string [string] (here, “Ph34r my l33t skills”) to send a regular string as payloads
 in the sent packets to the target machine for scanning beyond the firewall.

nmap --data-length 5 [Target IP Address]        =  to append the number of random data bytes to most of the packets sent without any protocol-specific payloads.
nmap --randomize-hosts [Target IP Address]      = Nmap uses --randomize-hosts to scan the number of hosts in the target network in random order to scan the intended target that is beyond the firewall.
nmap --badsum [Target IP Address]               =  --badsum to send the packets with bad or bogus TCP/UPD checksums to the intended target to avoid certain firewall rulesets.

Nmap is a network scanning tool that can be used for sending customized data packets to scan the target host, thus bypassing various security mechanisms such as the IDS/firewall.

Here, we will use Nmap to perform various scanning techniques such as appending custom binary data, appending a custom string, appending random data, randomizing host order, and sending bad checksums to scan the target host beyond the IDS/firewall.

In this task, we are using the Windows 10 (10.10.10.10) machine as a host machine and the Windows Server 2016 (10.10.10.16) machine as a target machine.

  1. Click Windows Server 2016 to switch to the Windows Server 2016 machine.

  2. Click Ctrl+Alt+Delete to activate the machine. By default, Administration user profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.

    Alternatively, you can also click Pa$$w0rd under Windows Server 2016 machine thumbnail in the Resources pane or Click Type Text | Type Password button under Commands (thunder icon) menu.

    Screenshot

  3. Navigate to Control Panel --> System and Security --> Windows Firewall --> Turn Windows Firewall on or off, enable Windows Firewall and click OK, as shown in the screenshot.

    Screenshot

  4. Click Windows 10 to switch to the Windows 10 machine and launch Nmap by double-clicking on the Nmap - Zenmap GUI shortcut available on the Desktop.

    Nmap shortcut.png

  5. The Nmap - Zenmap GUI appears. In the Command field, type the command nmap [Target IP Address] --data 0xdeadbeef (here, target IP address is 10.10.10.16) and click Scan.

    Nmap uses --data [hex string] (here, 0xdeadbeef) to send the binary data (o’s and 1’s) as payloads in the sent packets to scan beyond firewalls.

  6. The scan results appear, displaying all open TCP ports and services running on the target machine, as shown in the screenshot.

    Screenshot

  7. In the Command field, type the command nmap [Target IP Address] --data-string “Ph34r my l33t skills” (here, target IP address is 10.10.10.16) and click Scan.

    Nmap uses --data-string [string] (here, “Ph34r my l33t skills”) to send a regular string as payloads in the sent packets to the target machine for scanning beyond the firewall.

  8. The scan results appear, displaying all open TCP ports and services running on the target machine, as shown in the screenshot.

    Screenshot

  9. In the Command field, type the command nmap --data-length 5 [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.

    Nmap uses --data-length [len] (here, 5) to append the number of random data bytes to most of the packets sent without any protocol-specific payloads.

  10. The scan results appear, displaying all open TCP ports and services running on the target machine, as shown in the screenshot.

    Screenshot

  11. In the Command field, type the command nmap --randomize-hosts [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.

    Nmap uses --randomize-hosts to scan the number of hosts in the target network in random order to scan the intended target that is beyond the firewall.

  12. The scan results appear, displaying all open TCP ports and services running on the target machine, as shown in the screenshot.

    Screenshot

  13. In the Command field, type the command nmap --badsum [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.

    Nmap uses --badsum to send the packets with bad or bogus TCP/UPD checksums to the intended target to avoid certain firewall rulesets.

  14. The scan results appear, demonstrating that all ports are filtered, indicating that there is no response or the packets are dropped, and thus it can be inferred that the system is configured.

    Screenshot

  15. This concludes the demonstration of creating custom packets using Nmap to scan beyond the IDS and firewall.

  16. You can also use other packet crafting tools such as NetScanTools Pro (https://www.netscantools.com), Ostinato (https://www.ostinato.org), and WAN Killer (https://www.solarwinds.com) to build custom packets to evade security mechanisms.

  17. Close all open windows and document all the acquired information.

  18. Turn off the Windows Firewall in the Windows 10 and Windows Server 2016 machines by navigating to Control Panel --> System and Security --> Windows Defender Firewall --> Turn Windows Defender Firewall on or off.

    2020-06-28_23-46-00.png

Comments

Post a Comment

Popular posts from this blog

Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools

Image
Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools Lab Scenario As an ethical hacker, you must try to obtain as much information as possible about the target cloud environment using various enumeration tools. This lab will demonstrate various S3 bucket enumeration tools that can help you in extracting the list of publicly available S3 buckets. Lab Objectives Enumerate S3 buckets using lazys3 Enumerate S3 buckets using S3Scanner Overview of Enumeration Tools Enumeration tools are used to collect detailed information about target systems to exploit them. Information collected by S3 enumeration tools consists of a list of misconfigured S3 buckets that are available publicly. Attackers can exploit these buckets to gain unauthorized access to them. Moreover, they can modify, delete, and exfiltrate the bucket content. Task 1: Enumerate S3 Buckets using lazys3 lazys3 is a Ruby script tool that is used to brute-force AWS S3 buckets using different permutations. This...
Read more

Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools

Image
Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 1: Perform Cryptanalysis using CrypTool CrypTool is a freeware program that enables you to apply and analyze cryptographic mechanisms, and has the typical look and  feel of a modern Windows application. CrypTool includes a multitude of state-of-the-art cryptographic functions and allows you  to both learn and use cryptography within the same environment. CrypTool is a free, open-source e-learning application used in  the implementation and analysis of cryptographic algorithms. Here, we will use the CrypTool tool to perform cryptanalysis. refer to blog  little long --------------------------------------------------------------------------------------------------------------------------------------- Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 2: Perform Cryptanalysis us...
Read more

Task 2: Perform OS Discovery using Nmap Script Engine (NSE)

Image
  Task 2: Perform OS Discovery using Nmap Script Engine (NSE) Module 03: Scanning Networks Lab 3: Perform OS Discovery Task 2: Perform OS Discovery using Nmap Script Engine (NSE) open zenmap nmap -A [Target IP Address]   = -A: to perform an aggressive scan. nmap -O [Target IP Address]   = -O: performs the OS discovery. nmap --script smb-os-discovery.nse [Target IP Address]   = --script: specifies the customized script and smb-os-discovery.nse: attempts to determine the OS, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). end Nmap, along with Nmap Script Engine (NSE), can extract considerable valuable information from the target system. In addition to Nmap commands, NSE provides scripts that reveal all sorts of useful information from the target system. Using NSE, you may obtain information such as OS, computer name, domain name, forest name, NetBIOS computer name, NetBIOS domain name, workgroup, system time o...
Read more