Nmap 防火墙逃逸检测

简介

IDS（Intrusion Detection Systems）入侵检测系统，就是按照一定的安全策略，通过软、硬件，对网络、系统的运行状况进行监视，尽可能发现各中攻击企图、攻击行为或攻击结果，以保证网络系统资源的机密性、完整性和可用性，并且出现异常情况会发出警告。Nmap意识到这一点，提供了很多防火墙逃逸检测技术。（仅供学习）

一、报文分段

报文分段会将TCP头分段在几个包中，使得包过滤器、IDS以及其他工具检测更加困难。使用“-f”选项进行报文分段逃逸防火墙。

[root@localhost ~]# nmap -f 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 16:20 CST
Nmap scan report for 192.168.52.132
Host is up (0.00037s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.19 seconds

二、指定最大传输单元

通过指定最大传输单元，设定TCP/IP协议传输数据时的最大传输单元，可以有效的逃逸防火墙。使用“–mtu 传输单元 ”指定最大传输单元逃逸防火墙检测。

[root@localhost ~]# nmap --mtu 16 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 16:24 CST
Nmap scan report for 192.168.52.132
Host is up (0.00041s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.00 seconds

三、隐藏扫描

隐藏扫描可以让目标主机以为是利用诱饵进行扫描而不是使用本机进行扫描。这种方式可以通过路由跟踪、响应丢弃以及其他主动机制应对。使用“-D”选项启动隐藏扫描。在RND后面加入随机数字即可。

[root@localhost ~]# nmap -D RND:16  192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 16:29 CST
Nmap scan report for 192.168.52.132
Host is up (0.00072s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.41 seconds

四、源地址欺骗

使用“-sI”选项进行源地址欺骗，可以伪造一个地址作为发起扫描的源地址来逃逸防火墙。

[root@localhost ~]# nmap -sI www.0day.co:80 192.168.52.132
WARNING: Many people use -Pn w/Idlescan to prevent pings from their true IP.  On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 16:33 CST
Idle scan using zombie www.0day.co (72.11.140.181:80); Class: Incremental
Nmap scan report for 192.168.52.132
Host is up (0.029s latency).
Not shown: 999 closed|filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.67 seconds

五、源端口欺骗

使用“–source-port”选项指定一个随机端口，可以使Nmap通过该端口发送数据，从而达到逃逸防火墙的目的。

[root@localhost ~]# nmap --source-port 53 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 16:44 CST
Nmap scan report for 192.168.52.132
Host is up (0.00053s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.18 seconds

六、MAC地址欺骗

在内网进行扫描的时候伪造一个MAC地址能有效逃逸防火墙，Nmap提供了“–spoof-mac”选项指定一个MAC地址进行防火墙逃逸。使用“-sT -PN --spoof-mac”进行MAC地址欺骗以逃逸防火墙。

[root@localhost ~]# nmap -sT -PN --spoof-mac 0 192.168.52.132
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 16:50 CST
Spoofing MAC address 58:D4:BB:70:A1:C5 (No registered vendor)
You have specified some options that require raw socket access.
These options will not be honored for TCP Connect scan.
Nmap scan report for 192.168.52.132
Host is up (0.00029s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 11.95 seconds

七、附加随机数据

Nmap在进行扫描时，其中掺杂一些堆积的数据会影响防火墙的判断，从而达到防火墙逃逸的目的。使用“–data-length 随机数据”选项。

[root@localhost ~]# nmap --data-length 50 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 16:56 CST
Nmap scan report for 192.168.52.132
Host is up (0.000082s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
8080/tcp open  http-proxy
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.12 seconds