Nmap Evading Firewalls


Warnings to take into consideration:
→ Scanning network without owners permission can land you in jail.
→ Aggressively scanning can cause the system to crash.

This article is for Educational Purpose Only.

  • Majority of the companies monitor traffic with Intrusion Detection System (IDS). IDS are designed is such way that that can easily detect Nmap Scan. Many of these products have recently modified into Intrusion Prevention Systems (IPS) that actively blocks the traffic which seems to be malicious.
  • Nmap do have certain features that can be used to bypass IDS/IPS and Firewall.
  • There is no Nmap option for detecting Firewall or IPS/IDS Systems.It requires skills and experience.

So lets have a look on these Nmap features.

Fragment Packets
The -f option enables Nmap to use tiny fragmented IP packets.
Usage: nmap -f [Target]
Example: nmap -f scanme.nmap.org

The -f option causes the requested scan also including ping scans, to use tiny fragmented IP packets of 8 byte.

Nmap basically splits TCP headers into several packets which makes it harder from detecting.

Well this technique is easily detected, this is useful for older or improperly configured Firewalls.

We can also specify our own offset size by using –mtu option.
Usage: nmap –mtu 16 [Target]
Example: nmap –mtu 16 scanme.nmap.org

The –mtu option is similar to -f option, its just that here we are specifying our own Maximum Transfer Unit(MTU).

Do not use -f option while you are using –mtu.

The MTU size must be a multiple of 8 ( ie. 8,16, 24 and so on ).

In the above example we have specified the MTU size to 16.

Fragmentation is only supported for TCP and UDP port scans (except connect scan and FTP bounce scan) and OS detection.

The -D option enables to Mask Nmap scan by using Decoys.
Usage: nmap -D [Decoy1,Decoy2,DecoyN] [Target]
Example: nmap -D,,

The -D option make it appear to the target that the decoys which we have mentioned are scanning the target too.

Basically decoys allows the actual source of scan to hide. The IDS will not be able to identify which IP was actually scanning and which were innocent. Thus, making it hard to trace.

Here we can also use the RND (Randon) option to generate random decoys.
Usage: nmap -D [RND:Number] [Target]
Example: nmap -D RND:3

Here the Nmap will generate 3 random decoys.

Idle Zombie Scan
The -sI option enables Nmap to perform Idle Zombie Scan.
Usage: nmap -sI [Zombie Host] [Target]
Example nmap -sI

In the above example is the Zombie IP where as is the Target.

In this technique we have to use other host on the network which is idle to perform scan on target.

For idle scan to be successful, we have to find hosts that are idle on the network.

Source Port Number:
The –source-port option is used to manually specify the source port.
Usage: nmap –source-port [Port Number] [Target]
Example: nmap –source-port 67 scanme.nmap.org

We basically force Nmap to use the specific port as the source for all the packets.

This technique can be used where the Firewall is configured to allow all incoming traffic that comes from a specified port number. Hence –source-port option can be used to exploit such configuration.

Common ports that we can use of scan are – 20 (FTP), 53 (DNS) and 67 (DHCP).

Append Random Data
The –data-length option allows us to append random data to the packets.
Usage: nmap –data-length [Number] [Target]
Example: nmap –data-length 10

Generally Nmap send packets of a specific size. By using –data-length option we add more data so that Nmap will send the packets with different size rather than default.

In the above example we have added 10 more bytes to all the packets.

Most Firewall know to look for this type of predictable packet size, in such cases this option can be used.

Random Target Scan Order
The –randomize-hosts option is used to randomize scanning order.
Usage nmap –randomize-hosts [Target]
Example: nmap –randomize-hosts

This option enables Nmap to perform scanning in random order instead of sequential order.
This is useful to avoid being detected by the Firewall.

Spoof MAC Address
The –spoof-mac is used to spoof MAC (Media Access Contol) Address.
Usage: nmap -sT -PN –spoof-mac [MAC Address] [Target]

Here in MAC Address we can specify the MAC Address manually, automatically or by vendor name based.

Example (Manually)
nmap -sT -PN –spoof-mac B8:29:CB:BD:A9:67 [Target]
In this, we have to manually set – spoof MAC address, for example B8:29:CB:BD:A9:67

Example (Automatically)
nmap -sT -PN –spoof-mac 0 [Target]
In this, Nmap will automatically generate – spoof MAC address for us.
Note: –spoof-mac 0 ( its Zero).

Example (Vendor Name based)
nmap -sT -PN –spoof-mac Apple [Target]
In this, Nmap will generate – spoof MAC address by Vendor Name based.
Here the Vendor can be Apple,Dell,3Com etc. In below example we have used Apple as the Vendor.

This type of scanning is useful where there is MAC Filtering rules that allows traffic from certain MAC Addresses only. So we need to find which MAC address we need to use in order to get the results.

It also hides our original MAC Address preventing from being logged.

The –badsum option is used to send packets with incorrect checksum.
Usage: nmap –badsum [Target]
Example: nmap –badsum

TCP/IP protocol uses checksum to ensure integrity of data. Sending packets with bad checksum may give us response from a poorly configured system.

Poorly configured systems will respond to a packet with bad checksum.

In above example we did not receive any results, so we consider the target system is correctly configured.


I am sure there are many more techniques for evading Firewalls. If you want to add to this list feel free to drop it into a comment.