Staying quiet

Fragmentation: By chopping up our packets we can fragment the data to where it will not have enough context to trigger a FW. Some IDSs have the ability to rebuild packets and in that case this wont work.

Decoys: By sending traffic from Spoofed IPs at the same time as our scan. We want to make sure the frequency of our IP is not noticeable in the set scanning. This will cause our IP to hopefully be overlooked. This adds confusion and will make investigation harder to an analyst. This also buys time in the case of Incident Response.

Decoy Scan Ex1:

#nmap -sS -D <decoyIP1>,<decoyIP2>,<decoyIP3>,ME,<decoyIP4> <target> //we can also leave out ME if we want to have nmap pick its location. This will not work with connect scans -sT -sV

Decoy Scan Ex2: Will scan for port 80 using 10 random IPs #nmap -D RND:10 <target> -sS -p 80 -Pn --disable-arp-ping You could even use --randomize-hosts to make scans even more stealthy but note that typically the more of this stuff we do the slightly longer scans will take when doing massive CIDRs.

Source ports: FW rules often are looser with traffic from certain common/expected ports. We use --source-port or -g to spoof ports. Wont work on connect scans

Spoof port and mac scan: This is a way to confuse IDS systems and bypass FW rules that might only allow traffic from certain ports like DNS. #nmap --source-port 53 --spoof-mac cisco 192.168.2.1 -sS -Pn --disable-arp-ping -n

Timing: Adding time between each scan probe to bypass time based rules and analyst investigation. Its good to add a max retry to this also.

Idle/Zombie Scan (Nmap)

This scan utilizes a trusted device on the network. We spoof the device during our port check then query back to the zombie (trusted device) to see what the response was.

Detailed Steps:

1. Probe the Zombie's IP ID with a SYN/ACK and record its value.

2. Since the packet is unexpected we will get back a RST packet with the IP ID we need to take note of.

3. Forge a SYN packet with the source IP spoofed to be the trusted device, and send it to the port of our target to scan.

4. Probe the zombie's again with a SYN/ACK to get the IP ID again; We can infer if the port is open by if the ID increments twice.

First find a zombie

#nmap -O -v <ip or cidr>

If the Idle scan is possible then you will see IP sequence is Incremental (Therefore we can infer an open or closed port):

Then to do the attack:

#nmap -Pn -sI <Zombie IP>:<Target Port> <Target IP> -v

-Pn stops the extra scan traffic coming from our PC and going to the target (messing up the increments). We are using default ports for nmap but you can also specify ports with various methods. We can also add in the --packet-trace method to include a packet dump of our traffic from the command.

Why this works:

This will work with RFC compliant devices because the TCP RFC states the rules for the 3 way handshake. By sending the 2nd part of the handshake we force the compliant system to send us a RST. If these RST are incremental for a host we can abuse the standard.

Idle/Zombie Scan (hping3):

Find open port for potential zombie hping3 -S --scan known <zombie ip> Check if it will it be a good zombie hping3 -S -r -p <port> <zombie ip> -r shows relative id field. In the output if we see the ID is incrementing by 1 every time then its a good zombie candidate.

Craft zombie command hping3 -a <zombie ip> -S -p <target port> <target IP> -a spoof the zombie source address -S enable syn flag only

Monitor the zombie hping3 -S -r -p <zombie port> <zombie ip>

Firewall and IDS Evasion:

Nmap has the ability to spoof, modify MTUs, Packets, and Headers. Along with using proxies and randomization of spoofed options and wait time between egressed traffic. All of this can make a lead SOC analyst sweat and totally bypass most SOC teams (when done well).