Firewall & IDS Evasion
Network security devices such as firewalls, intrusion detection systems (IDS), and packet filters can block or alert on standard Nmap scans. Nmap provides several techniques to manipulate packet structure and scan behavior to bypass or reduce the likelihood of detection.
Evasion techniques increase the potential for operational impact and misattribution. Confirm authorization and applicable ROE before employing any evasion technique in an operational environment.
Packet Fragmentationβ
Fragment Packets (-f)β
nmap -f 192.168.1.1
- Use Case: Bypassing simple packet inspection firewalls and IDS rules that rely on inspecting complete TCP headers.
- Why:
-fsplits probe packets into 8-byte IP fragments. Some firewalls and IDS systems cannot reassemble or inspect fragmented packets, allowing probes to pass undetected.
Custom MTU Fragmentation (--mtu)β
nmap --mtu 16 192.168.1.1
- Use Case: More granular control over fragment size than
-f. - Why:
--mtuspecifies a custom offset size in multiples of 8 bytes. Smaller fragments are harder for some inspection devices to process, but very small values may cause issues with hosts that enforce minimum packet sizes.
Decoy Scanningβ
Decoy Scan (-D)β
nmap -D RND:10 192.168.1.1
nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.1
- Use Case: Obscuring the true source of a scan by generating traffic from multiple spoofed IPs alongside your real packets.
- Why:
-Dinserts packets with spoofed source IPs alongside your actual scan traffic. To a defender reviewing logs, it appears that multiple hosts are scanning simultaneously, making your real IP difficult to identify.RND:10generates 10 random decoy IPs;MEexplicitly includes your real IP in the sequence.
Decoys are most effective against simple log-based detection. Active defenders or correlation tools may still identify the true scanning host based on TTL values, routing asymmetries, or behavioral differences between real and spoofed packets.
Source Port Manipulationβ
Spoof Source Port (--source-port / -g)β
nmap --source-port 53 192.168.1.1
nmap -g 80 192.168.1.1
- Use Case: Bypassing firewall rules that trust inbound traffic from specific source ports (e.g., DNS port 53, HTTP port 80).
- Why: Some firewalls are configured to allow traffic originating from well-known source ports. Using
-g 53makes all Nmap probes appear to originate from port 53, potentially bypassing those permissive rules.
Idle (Zombie) Scanβ
Idle Scan (-sI)β
nmap -sI 192.168.1.100 192.168.1.1
- Use Case: Completely stealthy port scan where your real IP never appears in target logs.
- Why:
-sIuses a third-party "zombie" host (a host with predictable IP ID increments) to send probes on your behalf. The target only sees traffic from the zombie host, making your actual IP undetectable. Requires identifying a suitable zombie with a predictable, incrementing IP ID sequence.
Use the ipidseq NSE script to identify hosts with predictable IP ID sequences that are suitable as zombie candidates:
nmap --script ipidseq 192.168.1.0/24
Hosts reported as Incremental or Broken little-endian incremental are viable zombie candidates.
Data and Timing Obfuscationβ
Append Random Data (--data-length)β
nmap --data-length 25 192.168.1.1
- Use Case: Defeating IDS signatures that match on specific probe packet sizes.
- Why: Pads packets with random data to alter their size, breaking signature-based detection rules that expect specific Nmap probe lengths.
Spoof MAC Address (--spoof-mac)β
nmap --spoof-mac 0 192.168.1.0/24
nmap --spoof-mac Dell 192.168.1.0/24
nmap --spoof-mac 00:11:22:33:44:55 192.168.1.0/24
- Use Case: Hiding or changing the apparent source MAC address for scans conducted on the local network segment.
- Why:
--spoof-mac 0generates a random MAC; a vendor name (e.g.,Dell) generates a random MAC from that vendor's OUI range; a specific MAC sets an explicit value. Effective only on layer 2 β has no effect on routed traffic.
MAC address spoofing only affects layer 2 traffic on the local network segment. It has no effect on scans routed across layer 3 boundaries (routers, firewalls).
Bad Checksum Probe (--badsum)β
nmap --badsum 192.168.1.1
- Use Case: Testing whether a firewall or IDS is performing stateless packet inspection by checking if it responds to packets with invalid checksums.
- Why: Real operating systems drop packets with bad checksums; devices that respond to them are performing stateless inspection. Useful for characterizing network device behavior.
Combining Evasion Techniquesβ
Evasion techniques are most effective when layered. The following example fragments packets, appends random data, spoofs source port 53, uses 5 random decoys, and slows the scan timing:
nmap -f --data-length 25 --source-port 53 -D RND:5 -T1 192.168.1.1
Combining evasion techniques significantly increases total scan time. Use --host-timeout to prevent scans from running excessively long against unresponsive hosts:
nmap -f --data-length 25 -D RND:5 -T1 --host-timeout 5m 192.168.1.0/24