Understanding Nmap Packet Trace

Hello friends!! Today we are going to discussed how to capture network packet using nmap. And used wireshark for comparing its result from nmap. In this article we mainly focused on what types of network traffic is captured by nmap while we use various nmap ping scan.

Ping scan in nmap is done to check if the target host is alive or not. As we know that ping by default sends the ICMP echo request and gets an ICMP echo reply if the system is alive. Ping scan by default send an ARP packet and gets a response to check if the host is up.

NOTE: Nmap scans changes their behavior according to the network they are scanning.

  • Scanning Local Network with Nmap where nmap sends an ARP packet with every scan.
  • If an external network is to be scanned; nmap sends the following request packets:

ICMP echo request

ICMP timestamp request

TCP SYN to port 443

TCP ACK to port 80

Technique Involves in packet-tracing via nmap

The nmap module is an interface with nmap’s internal functions and data structures. The API offers target host information such as port states and version detection results. It also provides an interface to the Nsock library for effective network I/O.

Nsock is a parallel sockets library used by NSE, service detection (service_scan.cc) and DNS (nmap_dns.cc). It acts as an abstraction layer above socket operations and is optimized for handling multiple sockets. mspool is defined at nsock_internal.h and contains among other things a struct event_lists which is a structure that keeps information on all pending events.

Event creation

Events are represented with the msevent struct (nsock_internal.h) which contains (among other things)

  • The callback handler -> nsock_ev_handler (nsock_pool, nsock_event, void *)
  • A pointer to a msiod struct -> msiod *iod, which holds all the I/O descriptor (IOD) related information.
  • Struct filespace iobuf (a buffer usually 1024 bytes which holds the write/read bytes)
  • The nse_type (nsock.h)
  • The nse_status (nsock.h)
  • A unique id -> nsock_event_id (EID)

Events are created with the the following special functions:

nsock_connect.c

  • nsock_connect_tcp
  • nsock_connect_udp
  • nsock_connect_ssl
  • nsock_reconnect_ssl

nsock_read.c

  • nsock_readlines
  • nsock_readbytes
  • nsock_read

nsock_write.c

  • nsock_write
  • nsock_printf

nsock_timer_create.c

  • nsock_timer_create

source: https://sock-raw.org/nmap-ncrack/nsock.html

Let’s Start!!

Nmap Sweep Ping Analysis

Attribute -sn/ -sP are used for sweep ping and they try to identify the live host in the network. Using –packet-trace along nmap scan we can observe the network packet.

Here you can observe first two packets SENT/RECD (received) showing ARP request packet from 192.168.1.105 to 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between the source and destination router.

  • NSOCK INFO that denotes a new nsock_event_id (EID) 8 is generated to represents I/O descriptor (IOD) #1 for NSOCK UDP connection request to the router on port 53.
  • NSOCK INFO that denotes another (EID) 18 is generated to represents read request from (IOD) #1.
  • NSOCK INFO that denotes another (EID) 27 is generated to represents write request for 44 bytes to (IOD) #1.
  • NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to connect for EID 8.
  • NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to write for EID 27.
  • NSOCK INFO that denotes SUCCESSFUL operation when nsock used callback_handler to read for EID 18.
  • NSOCK info that IOD #1 is deleted.
  • NSOCK info that nevent_delete is deleting on event 34.
  • At last Nmap scan report Host is up.

You can observe the the same traffic we have captured from wireshark

  • Arp request packet for 192.168.1.105 to 192.168.1.103
  • Arp reply packet from 192.168.1.103 to 192.168.1.105

Similar you can also choose –reason option with nmap command to enumerate response from host network.

As you can observe it has clearly shown Host is up, when received arp-response.

As we have seen, by default Nmap sent ARP packet to identify host status therefore now we will trace nmap packet when –disable-arp-ping is activated.

Here you can notice the following SENT packets from source 192.168.1.105 to destination 192.168.1.103.

  • ICMP echo request
  • ICMP timestamp request
  • TCP SYN to port 443
  • TCP ACK to port 80

Then RCVD packet ICMP Echo-reply from destination 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between source to the destination router.

Demonstrating working of Ping Sweep using wireshark

From given below image you can observe the following packet of request and reply between both network IP.

  1. ICMP echo request
  2. TCP SYN to port 443
  3. TCP ACK to port 80
  4. ICMP timestamp request
  5. ICMP echo reply
  6. TCP RST, ACK to port 443
  7. TCP RST to port 80
  8. ICMP timestamp Reply

Similar you can also choose –reason option with nmap command to enumerate response from host network.

As you can observe it has clearly shown Host is up, when received ICMP echo-response.

Nmap TCP-SYN Ping Analysis

Attribute -PS sends TCP SYN packet on port 80 by default; we can change it by specifying the ports with it, like: -P22.

Here you can observe this scan is addition of nmap ping scan and nmap stealth scan because in the beginning it sends arp packet then uses nsock libraries and at the end again implicates TCP half communication.

So you can observe the following information we fetched from nmap:

  • SENT/RECD ARP request and reply respectively.
  • Nsock libraries details
  • TCP-SYN packet from 192.168.1.105:36088 to 192.168.1.103:22.
  • TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:36088.

Similarly we saw the same pattern of network traffic in wireshark.

Similar you can also choose –reason option with nmap command to enumerate response from host network.

Here you can observe port 22 is open and when received SYN/ACK packet from host.

Now let figure out network traffic when –disable-arp-ping activated.

So you can observe the following information we fetched from nmap:

  • SENT TCP-SYN packet on port 80
  • RCVD TCP-RST/ACK from port 80.
  • Nsock libraries details
  • TCP-SYN packet from 192.168.1.105:63581 to 192.168.1.103:22.
  • TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:63851.

Similarly we saw the same pattern of network traffic in wireshark also.

Nmap ICMP Ping Analysis

Attribute –PE sends ICMP echo request packet [ICMP type 8] and received ICMP echo reply packet

Here you can notice ICMP Echo-request packets SENT from source 192.168.1.105 to destination 192.168.1.103

Then RCVD packet ICMP Echo-reply from destination 192.168.1.103 and then used NSOCK libraries to state actual request and response packets travel between source to destination router.

Similarly we saw the same pattern of network traffic in wireshark also.

Nmap Stealth Scan Analysis

Let’s capture the network packet for default nmap scan also called stealth scan which follow TCP half communication

Here you can observe TCP-half communication:

  • TCP-SYN packet sent from source 192.168.1.105 to 192.168.1.103 on port 22.
  • TCP-SYN, ACK packet received from source 192.168.1.103 to 192.168.1.105.
  • TCP-RST packet sent from source 192.168.1.105 to 192.168.1.103.

Now let’s verify it with parameter –packet-trace and compare the result.

So you can observe the following information we fetched from nmap which is similar as TCP-SYN Ping.

  • SENT/RECD ARP request and reply respectively.
  • Nsock libraries details
  • TCP-SYN packet from 192.168.1.105:48236 to 192.168.1.103:22.
  • TCP-SYN/ACK packet from 192.168.1.103:22 to 192.168.1.105:48236.

Similar you can also choose –reason option with nmap command to enumerate response from host network.

Here you can observe port 22 is open and when received SYN/ACK packet from host.

Now let figure out network traffic when –disable-arp-ping activated.

Here you can notice the following SENT packets from source 192.168.1.105 to destination 192.168.1.103.

  • SENT ICMP echo request
  • SENT TCP SYN to port 443
  • SENT TCP ACK to port 80
  • SENT ICMP timestamp request
  • Then RCVD packet ICMP Echo-reply from destination 192.168.1.103
  • Then used NSOCK libraries to state actual request and response packets travel between sources to destination router.
  • SENT TCP-SYN request on port 22
  • RECV TCP-SYN, ACK reply from port 22.

Similarly we saw the same pattern of network traffic in wireshark also.

Nmap TCP Scan Analysis

As we knew TCP scan is follow full tcp communication and it is known as three-way-handshake.

So you can observe the following information we fetched from nmap which is similar as TCP-SYN Ping.

SENT/RECD ARP request and reply respectively.

Nsock libraries details

Connecting TCP Localhost from destination host 192.168.1.103:22 is in progress.

Connected TCP Localhost from destination host 192.168.1.103:22 successfully.

Similarly we saw the same pattern of network traffic in wireshark also.

Similar you can also choose –reason option with nmap command to enumerate response from host network.

Here you can observe port 22 is open and when received SYN/ACK packet from host.

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Nmap Scan with Timing Parameters

Hello everyone, in this article we will have a look at the different parameters that are used together to make a timing template and how to use those parameters individually according to will.

Let’s Start!!

Nmap timing template

As we have seen that Nmap has multiple timing templates that can be used for differently as according to the requirement. Click here to check the timing scan article. Let’s see what’s inside the timing template. For getting the description of timing template we’ll use -dattribute.

Here we have multiple arguments that collectively make a timing template. Let’s have a look at them one by one.

  • Host-groups
  • Rtt-timeouts
  • Scan-delay
  • Max-retires
  • Min-rates
  • Parallelism

Maximum Retries (–max-retries)

–max-retries specifies the number of times a packet is to be resent on a port to check if it is open or closed. If –max-retries is set to 0, the packets will be sent only once on a port and no retries will be done.

Here in wireshark, we can see that 1-1 TCP SYN packet sent to each port from source: 192.168.1.126 to destination: 192.168.1.139 are not sent again.

Now we will apply a small firewall rule on the target machine so that the packets get blocked if they come at a faster rate.

Now, the normal scan will not show any results with max-retries

As we can see that the ports whose packets got dropped are not sent again so their status is not determined.

here we can increase the max-retries value which will bypass the specified firewall filter so that we can get the exact port status.

Here we can see that TCP SYN packets sent to one port from source: 192.168.1.126 to destination: 192.168.1.139 are sent again and again until the packets return a specified reply or the maximum retry value (here 5) is reached.

Host-timeout

The –host-timeout is an attribute that specifies the scan to give up on a host after the specified time. The lesser the time specified the more are the chances of inaccuracy in scan results.

We can specify time in milliseconds (ms), seconds (s), minutes (m)

Now we will try to get the result by increasing the timeout value

We can use –host-timeout in other scenarios also like when we need to check if the host system is live or not. Here we have shown how the host-timeout can affect the results of a ping scan.

Output from above command had given 0 host is up.

Output from above command had given 1 host is up.

Hostgroup

hostgroup attribute is specified to scan a specified number of hosts in network at a time. You need to specify minimum number of hosts or maximum number of hosts or both to be scaned at a time

From given below image you can observed that it has shown only 3 live host from inside complete subnet mask and save your time from scanning complete network.

Scan delay

Scan delay is used to delay the packet to be sent by the specified time. It is very useful in evading time based firewalls.

here we can see the time difference in between the packets

packet 1: TCP SYN packet on port 25 at 07:58:01 from 192.168.1.126 to 192.168.1.139

packet 2: TCP SYN packet on port 22 at 07:58:12 from 192.168.1.126 to 192.168.1.139

Now if you will count the time difference between these packets you get 11 sec time laps between these two packets.

Maximum rate (max-rate)

Rate is an attribute that specifies at what rate is the packets are to be sent, in other words number of packets to be sent at a time. Max-rate specifies maximum number of packets to be sent at once.

wireshark shows that the packets sending rate is less than 2, means number of packets sent at a time is less than or equal to 2

packet 1: TCP SYN packet on port 21 at 03:17:20 from 192.168.1.126 to 192.168.1.139

packet 2: TCP SYN packet on port 23 at 03:17:21 from 192.168.1.126 to 192.168.1.139

Now if you will count the time difference between these packets you get 1 sec time laps between these two packets indicating that these two packets were not sent together.

Minimum rate (mini-rate)

Min-rate specifies maximum number of packets to be sent at once. Here if we want atleat 2 packet must be sent on target’s network at same time not less then this, then need to execute below command.

wireshark shows that the packets sending rate is greater than 2, means number of packets sent at a time is equal to or greater than 2

packet 1: TCP SYN packet on port 23 at 03:28:29 from 192.168.1.126 to 192.168.1.139

packet 2: TCP SYN packet on port 22 at 03:28:29 from 192.168.1.126 to 192.168.1.139

Now if you will count the time difference between these packets you get only a fraction of second as time laps between these two packets indicating that these two packets were sent together.

Parallelism

Parallelism attribute is used to send multiple packets in parallel, min-parallelism means that the number of packets to be sent in parallel is to be greater than the value specified and max-parallelism means that the number of packets to be sent in parallel is to be less than or equal to the value specified

In wireshark we can see the couple of TCP-SYN packetssent in parallel from 192.168.1.126 which is neither less nor greater than 2.

Round trip timeout

Rtt timeout is the time specified for a packet to return a reply, min-rtt-timeout specifies the minimum value of time that is to be taken by a packet to return a reply

wireshark shows that the packet and its reply takes time greater than the min-rtt-timeout specified

packet 1: TCP SYN packet on port 25 at 08:10:53.232666116 from 192.168.1.126 to 192.168.1.139

packet 2: SYN ACK packet from port 25 at 08:10:53.233466679 from 192.168.1.139 to 192.168.1.126

Max-rtt-timeout

max-rtt-timeout specifies the maximum value of time that is to be taken by a packet to return a reply

wireshark shows that the packet and its reply takes time lesser than the max-rtt-timeout

packet 1: TCP SYN packet on port 22 at 08:15:08.171777907 from 192.168.1.126 to 192.168.1.139

packet 2: SYN ACK packet from port 22 at 08:15:08.173117154 from 192.168.1.139 to 192.168.1.126

Intial Round trip timeout

Initial-rtt-timeout specifies the initial value of time to be taken by a packet to return a reply, the return time can be greater or lesser than the  initial-rtt-timeout because of the max-rtt-timeout and min-rtt-timeout specifeies the range of time for a packet to return a reply but the packet attempts to return a reply in the time specified in initial-rtt-timeout

wireshark shows that the time taken by packet to return reply is around same as specified in initial-rtt-timeout

packet 1: TCP SYN packet on port 23 at 08:18:45.342395520 from 192.168.1.126 to 192.168.1.139

packet 2: SYN ACK packet from port 23 at 08:18:45.342930962 from 192.168.1.139 to 192.168.1.126

Auhtor:  Deepanshu is a Certified Ethical Hacker and a budding Security researcher. Contact here.

Generating Scan Reports Using Nmap (Output Scan)

Hello friends, several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but there are sometimes where we want to save the nmap scan. Nmap output scan is used to save the result of nmap scan in different formats.

Let’s Begin

Requirement

Attacker: Kali Linux

Target’s IP: 192.168.1.113

Normal Output Format

-oN <filespec> (normal output)

Nmap supports different formats for saving scan results. Depending on your needs, you can choose between a normal, XML, and grepable output. Normal mode saves the output as you see it on your screen, minus the runtime debugging information. This mode presents the findings in a well structured and easy-to-understand manner.

Now the scan is saved on desktop and we can access it using cat or text editor.

cat Desktop/nmap

XML Output Format

-oX <filespec> (XML output)

XML stands for Extensible Markup Language is a usually known, tree-structured file format supported by Nmap.To save the scan results to a file in the XML format; add the option -oX <filename>, as shown in the following command:

Nmap also consist of additional debugging information when you save the scan results in this format.

An XML file, when generated, will contain the following information:

  • Host and port states
  • Services
  • Timestamps
  • Executed command
  • Nmap Scripting Engine output
  • Run statistics and debugging information

You can view the output in Gedit, It will look as shown below

We can also convert the Nmap scan which we saved in the xml format earlier to a portable html format using the given command:

xsltproc Desktop/nmap.xml –o nmap.html

Now open the nmap.html file in your favourite browser. Here is a screenshot depicting the converted html report. As you can see that it is very simply formatted and Easy to Read and Understand.

Script kiddie output

 -oS <filespec> (ScRipT KIdd|3 oUTpuT)

Script kiddie output is like interactive output, except that it is post-processed to better suit the l33t HaXXorZ, this option was made to make fun of script kiddies.

Now we can see that the file is saved on desktop which is as similar as normal scan output result.

cat Desktop/nmap

Grepable Output Format

 -oG <filespec> (grepable output)

 The grepable format was included to help users extract information from logs without having to write a parser, as this format is meant to be read/parsed with standard UNIX tools. To save the scan results to a file in the grepable format, add the option -oG <filename>, as shown in the following command:

In grepable mode, each host is placed on the same line with the format <field name>:

<value>,and each field is separated by tabs (\t). The number of fields depends on what

Nmap options were used for the scan.

There are eight possible output fields:

  • Host: This field is always included, and it consists of the IP address and reverse DNS name if available
  • Status: This field has three possible values—Up, Down, or Unknown
  • Ports: In this field, port entries are separated by a comma and a space character, and each entry is divided into seven fields by forward slash characters (/)
  • Protocols: This field is shown when an IP protocol (-sO) scan is used
  • Ignored: This field shows the number of port states that were ignored
  • OS: This field is only shown if OS detection (-O) was used
  • Seq Index: This field is only shown if OS detection (-O) was used
  • IP ID Seq: This field is only shown if OS detection (-O) was used

cat Desktop/nmap

Saving Output in ALL Format

 -oA <basename> (Output to all formats)

Nmap supports the alias option -oA <basename>, which saves the scan results in all of the available formats—normal, XML, and grepable. The different files will be generated with the extensions .nmap, .xml, and .gnmap

Now we check the directory and find all the 3 types of file available to us.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Understanding Guide for Nmap Timing Scan (Firewall Bypass)

In this article we are going to scan the target machine with normal Nmap scan along with Timing template and the time between packets can be confirmed by analysis of Nmap traffic through Wireshark.

Timing template in nmap is defined by –T<0-5> having -T0 as the slowest and –T5 as the fastest. By default all nmap scans run on –T3 timing template. Timing template in Nmap is used to optimize and improve the quality and performance of scan to get desired results.

Let’s start!!

Nmap Insane (-T5) Scan

This template is used for sending packets insanely fast and waits only 0.3 seconds for response. The time difference between two packets sent is upto 5 milliseconds. This timing template makes the scan superfast but the accuracy is sacrificed sometimes. Nmap gives-up on a host if it couldn’t complete the scan within 15 minutes. Other than that, -T5 should be used only on fast network and high end systems as sending packets this fast can affect the working of the network or system and can result into system failure.

For using timing template use the attribute –T<0-5> after Nmap while scanning a target network

Here are the packets sent to the target IP are sent by a maximum difference of 5 milliseconds or 0.005 seconds

Packet 1 has Arrival Time of 04:41:04.557153433

Packet 2 has Arrival Time of 04:41:04.557225304

The difference between the arrival time of Packet 1 and Packet 2 is about 0.07 milliseconds.

Nmap Aggressive (-T4) Scan

This template is used for sending packets very fast and waits only 1.25 seconds for response. The time difference between two packets sent is upto 10 milliseconds. Nmap official documentation recommends using –T4 for “reasonably modern and reliable networks”.

Here are the packets sent to the target IP are sent by a maximum difference of 5 milliseconds or 0.005 seconds

Packet 1 has Arrival Time of 05:58:34.636899267

Packet 2 has Arrival Time of 05:58:34.637122896

The difference between the arrival time of Packet 1 and Packet 2 is about 0.2 milliseconds.

Nmap Normal (-T3) Scan

This is the default nmap timing template which is used when -T argument is not specified.

Packet 1 has Arrival Time of 06:01:12.574866212

Packet 1 has Arrival Time of 06:01:12.575059033

The difference between the arrival time of Packet 1 and Packet 2 is about 0.1 milliseconds.

Nmap Polite (-T2) Scan

This template is used for sending packets quickly then –T0 and –T1 but still slower than normal scan. The time difference between two packets sent is 0.4 seconds.

Packet 1 has Arrival Time of 06:07:38.139876513

Packet 2 has Arrival Time of 06:01:12.540686453

Nmap Sneaky (-T1) Scan

This template is used for sending packets quickly but still slower than normal scan. The time difference between two packets sent is 15 seconds.

Packet 1 has Arrival Time of 06:17:02.354879724

Packet 2 has Arrival Time of 06:17:17.371063606

The difference between the arrival time of Packet 1 and Packet 2 is about 15 seconds.

Nmap Paranoid (-T0) Scan

This template is used for sending packets very slowly as only one port is scanned at a time. The time difference between two packets sent is 5 minutes.

Packet 1 has Arrival Time of 06:32:25.043303267

Packet 2 has Arrival Time of 06:37:25.080804929

The difference between the arrival time of Packet 1 and Packet 2 is about 5 minutes.

Evading Time Based Firewall rules using timing templates

Block Insane T5 scan

Even though we can speed up the scan by –T5 and –T4 templates, there are chances that the target system is using some kind of firewall rules to secure itself. Here are some examples of the firewall rules and methods to bypass them.

This rule will block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 1 second.

If you’re scanning more than 1 port on a target system having above rule, the result will not be as desired. Like if we use -T5 or -T4 in nmap scan, the time difference between packets is very much less than 1 second so if we scan five ports at a time it will show one as open/closed and others as filtered. But -T5 has also –max-retries set to 2 means it will retry to get reply from ports 2 more times hence there will be 3 out 5 ports with accurate open/close status and the rest 2 with filtered status

From given below image you can observe that it has shown 3 ports are open and 2 ports are filtered.

The packet transfer between the target and the victim is captured through wireshark, it clearly shows that the TCP SYN packets are send multiple times on ports 22 and 23 and didn’t received any reply packet for those request packet.

Bypass Insane T5 Firewall filter

1st method

Use –max-retries argument to increase the –max-retries value so that each retry gives accurate status of one port at a time. Execute given below command for increasing maximum retries with T5 scan here I had 4 you can modify it as per your requirement.

now if you notice from given below image you can observe that it has shown all 5ports are open.

Here, the packet transfer shows that in each retry one different port sends the reply in order to confirm its statusas shown in given below image.

2nd Method

The second method is to use a timing template which has a greater time difference between packets, like here we can use time template below T5 i.e. from T4 to T0 to bypass above rule.

nmap -T4 -p21-25 192.168.1.104

or

nmap -T3 -p21-25 192.168.1.104

or

nmap -T2 -p21-25 192.168.1.104

or

nmap -T1 -p21-25 192.168.1.104

or

nmap -T0 -p21-25 192.168.1.104

Here, the packet transfer shows that each port has sent the reply but first reply was instantly and other ports replied one by one after some time.

Block Aggressive T4, Normal T3 & Polite T2 Scan

Now given below rules will block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 3 seconds.

Here we are using -T4 for scanning 5 ports, the time difference between packets is very much less than 1 second so if we scan five ports at a time it will show one as open/closed and others as filtered. But –T4 has also –max-retries set to 6 means it will retry to get reply from ports 6 more times but as the time limit exceeds the total time taken by all retries it will show all ports filtered

nmap -T4 -p21-25 192.168.1.104

or

nmap -T3 -p21-25 192.168.1.104

or

nmap -T2 -p21-25 192.168.1.104

or

Result of T4, T3, and T2 scan can be as either all port will be filtered or any one port can show open/close state. From given below image you can observe that it has shown all 5 ports are filtered.

Here we can see that none of the packets got reply

Bypass Aggressive T4, Normal T3 & Polite T2 Firewall filter

To bypass this kind of rule we have to use a Timing Template which is slower than -T4

Here we can see that all the packets got reply because time interval in T1 is almost 15 seconds.

Block Sneaky (-T1) Scan

Now this rule is to block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 200 seconds.

Now repeat the T1 scan again as given below and this time you will found that firewall is blocking our Nmap probes for identify open/close state of any port.

Results of T1 scan can be as either all port will be filtered or any one port can show open/close state. From given below image you can observe that it has shown all 4 ports are filtered.

Here we can see that only one of the packets got reply rest are drop by firewall.

Bypass Sneaky (-T1) Scan

To bypass this kind of rule we have to use a Timing Template which has time difference in packets for more than 200 seconds, therefore use paranoid time scan because time difference between two packets is near about 5 mints as discussed above.

From given below image you can observe that it has taken 1813.61 sec which is close to 30 mints for scanning 5 ports and found open state for all 5 ports.

Here we can see that we have got response of every packet even though the firewall had the security rules set.

To evade any type of IPS or Firewall, you need to remember that it will take much longer time than usual to scan the target system using slower timing template so try to specify a small number of ports so that the slower scans doesn’t take time to scan the ports that you don’t intended to.

Auhtor:  Deepanshu is a Certified Ethical Hacker and a budding Security researcher. Contact here.

Related Posts Plugin for WordPress, Blogger...