Member
HI All,
Just wanted to know about your experiments regarding to evading Host based IDS-IPS for example NOD32 personal firewall,etc in Enumeration phase .
I did study ‘nmap’ regarding this issue, but any success; Maybe another tools or something else?
Any help would be greatly appreciated,
Regards,
Member
have you tried a stealth syn scan using nmap? A lot of firewalls see and block obvious port scans, even SEP sees and blocks them.
have you tried the port scanning with nmap using the flags -sS?
3.2 SYN Stealth Scan [-sS]
I’ll begin this section with an overview of the TCP connection process. Those familiar with TCP/IP can skip the first few paragraphs.
When a TCP connection is made between two systems, a process known as a "three way handshake" occurs. This involves the exchange of three packets, and synchronises the systems with each other (necessary for the error correction built into TCP. Refer to a good TCP/IP book for more details.
The system initiating the connection sends a packet to the system it wants to connect to. TCP packets have a header section with a flags field. Flags tell the receiving end something about the type of packet, and thus what the correct response is.
Here, I will talk about only four of the possible flags. These are SYN (Synchronise), ACK (Acknowledge), FIN (Finished) and RST (Reset). SYN packets include a TCP sequence number, which lets the remote system know what sequence numbers to expect in subsequent communication. ACK acknowledges receipt of a packet or set of packets, FIN is sent when a communication is finished, requesting that the connection be closed, and RST is sent when the connection is to be reset (closed immediately).
To initiate a TCP connection, the initiating system sends a SYN packet to the destination, which will respond with a SYN of its own, and an ACK, acknowledging the receipt of the first packet (these are combined into a single SYN/ACK packet). The first system then sends an ACK packet to acknowledge receipt of the SYN/ACK, and data transfer can then begin.
SYN or Stealth scanning makes use of this procedure by sending a SYN packet and looking at the response. If SYN/ACK is sent back, the port is open and the remote end is trying to open a TCP connection. The scanner then sends an RST to tear down the connection before it can be established fully; often preventing the connection attempt appearing in application logs. If the port is closed, an RST will be sent. If it is filtered, the SYN packet will have been dropped and no response will be sent. In this way, Nmap can detect three port states - open, closed and filtered. Filtered ports may require further probing since they could be subject to firewall rules which render them open to some IPs or conditions, and closed to others.
Modern firewalls and Intrusion Detection Systems can detect SYN scans, but in combination with other features of Nmap, it is possible to create a virtually undetectable SYN scan by altering timing and other options (explained later).
http://nmap.org/bennieston-tutorial/
found there
Member
Yes I tried Stealth scan and ACK scan in conjuction with -T3 and -T2 . I mean about using fragmentation and timing and MTU switches.what are the best or better value to be set for "--mtu" and "-f " and " -T " options?
Regards,
Junior Member
if you want to evade nod32 for example ...try to use comprehensive scan or Xmas scan in nmap
if you don't know how to do that ..install my Hard track script and use it for Evading Firewall there are all options you wanna to use
and i accept any suggestion
check my project here
https://sourceforge.net/projects/hardtrack/
Member
Would you please take a look at the command I used and the result:Originally Posted by lawrencethepentester
Victim is a WinXP SP3 with NOD32 AV& IDS-IPS on it.Both are my systems. These two are connect via my ADSL ZyXEL modem.
I'm trying to enumerate the services and port by nmap.
root@kali:~# nmap -g 53 -T2 -S 192.68.1.101 -e wlan0 -sX 192.168.1.200
Starting Nmap 6.25 ( http://nmap.org ) at 2013-08-07 15:41 FRDT
Nmap scan report for 192.168.1.200
Host is up (0.0016s latency).
All 1000 scanned ports on 192.168.1.200 are open|filtered
MAC Address: 40:4A:03:98D:12 (ZyXEL Communications)
Nmap done: 1 IP address (1 host up) scanned in 803.23 seconds
Regards,
Last edited by xerxes; 2013-08-07 at 11:41.
Junior Member
Would you please take a look at the command I used and the result:
Victim is a WinXP SP3 with NOD32 AV& IDS-IPS on it.Both are my systems. These two are connect via my ADSL ZyXEL modem.
I'm trying to enumerate the services and port by nmap.
root@kali:~# nmap -g 53 -T2 -S 192.68.1.101 -e wlan0 -sX 192.168.1.200
Starting Nmap 6.25 ( http://nmap.org ) at 2013-08-07 15:41 FRDT
Nmap scan report for 192.168.1.200
Host is up (0.0016s latency).
All 1000 scanned ports on 192.168.1.200 are open|filtered
MAC Address: 40:4A:03:98
Nmap done: 1 IP address (1 host up) scanned in 803.23 seconds
Regards,
hello frnd ..
here is some nmap codes ... try it to Evade
SYN Scan
nmap -sS ip address
udp scan
nmap -sU ip
xmas
nmap -sZ ip
comprehensive
nmap -PN ip address
Member
Thanks friend ,no help..I think I should go for Gordon Fyodor book "NMAP Network Scanning"
Junior Member
try denial of service ..maybe could help ...
Member
Any special tool for doing DoS you recommend?
Junior Member
look try UDP Food ... it works successfully ... i 've pentest nod32 1 year ago ... it 's down when ram memory going too high .. so after that nod service on demond scan stop working ...really ..all it'scan ll result clear ..so about firewall i think the same case ..so try it mabye work ...
UDP.pl
Junior Member
look try UDP Food ... it works successfully ... i 've pentest nod32 1 year ago ... it 's down when ram memory going too high .. so after that nod service on demond scan stop working ...really ..all it'scan ll result clear ..so about firewall i think the same case ..so try it mabye work ...
UDP.pl
Member
Is that included in Kali?
Junior Member
yes i think so ..
Member
Any stronger one?
Posting Permissions
