Nmap 规避防火墙

发表于 更新于 分类于
Nmap 规避防火墙

所有主流的防火墙和IDS都包含检测Nmap的扫描规则,因此为了能够正常烧毛,需要规避防火墙和IDS.

定制数据包

定制数据包就是不使用Nmap默认的探测包,一般情况下防火墙会对一些常见的数据包和端口规则进行拦截,因此可以通过定制数据包可以规避防火墙.

使用信任源端口

信任源端口是指允许访问目标主机服务的端口,如DNS的53端口,DHCP的67端口.Nmap提供了两个选项用来指定信任的源端口

  • –source-port: 指定信任的源端口
  • -g: 指定信任的源端口
1
2
3
4
5
6
7
8
9
# 使用源端口67对目标主机进行扫描
$ nmap --packet-trace -sn -PS --source-port 67 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 22:06 China Standard Time
# 可以看到是用67端口发的数据包
SENT (3.2830s) TCP 192.168.1.7:67 > 121.199.61.226:80 S ttl=59 id=56728 iplen=44  seq=1197688321 win=1024 <mss 1460>
RCVD (3.3150s) TCP 121.199.61.226:80 > 192.168.1.7:67 SA ttl=117 id=702 iplen=44  seq=691221889 win=8192 <mss 1400>
Nmap scan report for www.diaoan.xyz
Host is up (0.032s latency).
Nmap done: 1 IP address (1 host up) scanned in 8.87 seconds

指定校验值

校验值是为了验证数据包的完整性而计算出的一个值,通过发送一个包含错误的校验值,也可以规避防火墙和IDS

  • –badsum: 使用一个伪TCP/UDP/SCTP校验值来发送探测包
  • –adler32: 指定SCTP校验值

附加数据载荷

默认情况下,Nmap仅发送一个包头,正常情况下主机不会发送空包,因为空包容易被防火墙和IDS检测到,从而被拦截.为了避免形成空包,可以通过附加数据载荷伪造成有意义的数据包

  • data-length: 指定数据包长度的随机值
  • data: 指定一个16进制值的数据
  • –data-string: 指定一个文本值的数据
1
2
3
4
5
6
7
8
# 向探测报文随机附加一个长度为25的数据,实施扫描
$ nmap --packet-trace -sn -PS --data-length 25 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 22:30 China Standard Time
SENT (0.4480s) TCP 192.168.1.7:59188 > 121.199.61.226:80 S ttl=53 id=39352 iplen=69  seq=3315769448 win=1024 <mss 1460>
RCVD (0.4770s) TCP 121.199.61.226:80 > 192.168.1.7:59188 SA ttl=117 id=703 iplen=44  seq=3925981008 win=8192 <mss 1400>
Nmap scan report for www.diaoan.xyz
Host is up (0.029s latency).
Nmap done: 1 IP address (1 host up) scanned in 6.04 seconds

定制数据包传输路径

按照正常的网络传输路径可能会遭到防火墙和IDS的拦截,因此可以指定传输路径,绕开防火墙

使用代理

代理就是将一个主机发送的数据包通过代理主机转发到目标主机.

  • –proxies: 使用HTTP/SOCK4代理转发
1
2
3
4
5
6
7
8
# 使用HTTP代理转发
$ nmap --packet-trace -sn -PS --proxies http://www.baidu.com:80 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 22:43 China Standard Time
SENT (0.5310s) TCP 192.168.1.7:42114 > 121.199.61.226:80 S ttl=41 id=56455 iplen=44  seq=1577994992 win=1024 <mss 1460>
RCVD (0.5590s) TCP 121.199.61.226:80 > 192.168.1.7:42114 SA ttl=117 id=704 iplen=44  seq=3266639089 win=8192 <mss 1400>
Nmap scan report for www.diaoan.xyz
Host is up (0.028s latency).
Nmap done: 1 IP address (1 host up) scanned in 6.12 seconds

指定TTL值

生存时间(TTL),是指IP数据包被路由器丢弃之前允许通过的最大网段数量,它告知路由器该包是否在网络中时间过长而应该被丢弃.

  • –ttl: 设置一个TTL值
1
2
3
4
5
6
7
# 设置TTL值为10,进行主机发现
$ nmap --packet-trace -sn -PS --ttl 10 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 22:51 China Standard Time
SENT (0.4280s) TCP 192.168.1.7:54515 > 121.199.61.226:80 S ttl=10 id=58025 iplen=44  seq=3173099416 win=1024 <mss 1460>
SENT (1.4400s) TCP 192.168.1.7:54517 > 121.199.61.226:80 S ttl=10 id=60709 iplen=44  seq=3173230490 win=1024 <mss 1460>
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.50 seconds

隐藏自己

诱饵扫描

诱饵扫描就是让目标主机认为其他主机在对自己进行扫描.

  • -D: 指定一组诱骗的IP地址,也可以使用RND选项随机生成几个主机地址作为诱饵主机.
1
2
3
4
5
6
7
8
9
10
11
12
13
# 使用随机5个IP地址实施主机发现
$ nmap --packet-trace -sn -PS -D RND:5 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 23:14 China Standard Time
SENT (0.4530s) TCP 203.95.157.187:62169 > 121.199.61.226:80 S ttl=39 id=39127 iplen=44  seq=528626996 win=1024 <mss 1460>
SENT (0.4540s) TCP 128.78.165.248:62169 > 121.199.61.226:80 S ttl=49 id=39127 iplen=44  seq=528626996 win=1024 <mss 1460>
SENT (0.4540s) TCP 62.112.65.234:62169 > 121.199.61.226:80 S ttl=55 id=39127 iplen=44  seq=528626996 win=1024 <mss 1460>
SENT (0.4550s) TCP 19.75.172.153:62169 > 121.199.61.226:80 S ttl=52 id=39127 iplen=44  seq=528626996 win=1024 <mss 1460>
SENT (0.4560s) TCP 192.168.1.7:62169 > 121.199.61.226:80 S ttl=39 id=39127 iplen=44  seq=528626996 win=1024 <mss 1460>
SENT (0.4560s) TCP 65.29.168.76:62169 > 121.199.61.226:80 S ttl=47 id=39127 iplen=44  seq=528626996 win=1024 <mss 1460>
RCVD (0.4900s) TCP 121.199.61.226:80 > 192.168.1.7:62169 SA ttl=117 id=917 iplen=44  seq=972294997 win=8192 <mss 1400>
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up (0.038s latency).
Nmap done: 1 IP address (1 host up) scanned in 6.05 seconds

伪造源地址

源地址是指Nmap发送探测报文的源IP地址,可以使目标主机认为是另一个IP地址在进行扫描.

  • -S: 指定一个伪造的源IP地址,要和-e和-Pn一起使用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ nmap --packet-trace -sn -PS -S 192.168.1.1 www.diaoan.xyz
WARNING: If -S is being used to fake your source address, you may also have to use -e <interface> and -Pn .  If you are using it to specify your real source address, you can ignore this warning.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 23:19 China Standard Time
Could not figure out what device to send the packet out on with the source address you gave me!  If you are trying to sp00f your scan, this is normal, just give the -e eth0 or -e ppp0 or whatever.  Otherwise you can still use -e, but I find it kind of fishy.
QUITTING!
$ nmap --packet-trace -sn -Pn -S 192.168.1.1 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 23:19 China Standard Time
Could not figure out what device to send the packet out on with the source address you gave me!  If you are trying to sp00f your scan, this is normal, just give the -e eth0 or -e ppp0 or whatever.  Otherwise you can still use -e, but I find it kind of fishy.
QUITTING!
$ nmap --packet-trace -sn -Pn -S 192.168.1.1 -e eho0 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 23:20 China Standard Time
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 9.96 seconds

伪造MAC地址

当Nmap实施扫描时,发送的数据包中会包含MAC地址.Nmap提供了一个选项用于指定伪造MAC地址

  • –spoof-mac: 指定伪造MAC地址,如果指定的参数时是0,Nmap会选择一个完全随机的MAC地址,如果参数是厂商的名称,Nmap会使用厂商的OUI,然后随机填充剩余三个字节
1
2
3
4
5
6
7
8
# 使用苹果的伪造MAC对主机进行发现
$ nmap --packet-trace -sn -PS --spoof-mac Apple www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-09 23:39 China Standard Time
Spoofing MAC address 00:03:93:5E:59:32 (Apple)
SENT (0.4570s) TCP 192.168.1.7:50396 > 121.199.61.226:80 S ttl=39 id=33276 iplen=44  seq=3907881348 win=1024 <mss 1460>
SENT (1.4670s) TCP 192.168.1.7:50398 > 121.199.61.226:80 S ttl=40 id=10079 iplen=44  seq=3908012422 win=1024 <mss 1460>
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.53 seconds