Friday, December 5, 2014

NMAP switch to avoid IPS or IDS detection

I was running a scan to a server behind a Watchguard firewall and then I got banned, the firewall blacklisted my public IP address, this killed me because I manage the firewall and when I begin to troubleshooting what happened I was not able to reach the firewall itself or VPN is.

Now if you do:

C:\Users\Raul>nmap -T2 192.168.1.20

Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-05 17:22 Central Standard Time

Nmap scan report for 192.168.1.20

Host is up (0.086s latency).

Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
993/tcp  open  imaps
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 927.56 seconds

C:\Users\Raul>

Did you notice the time, it took 927 seconds, mean 15 minutes, Yes, to avoid the to be detected you need to move slowly and slowly, one packet at the time so the IPS will time out and ignore the packet.

You could run nmap  192.168.1.20 without the T2 switch and would be faster if there is NOT any IPS/IDS, if there is one you lost the connection and you would need to wait until the IPS remove your IP address from the black listed list.

So to make sure you do not lose time and get good result in your pentest scope, you need to be snick, LOL

Takes time to sharp your skill, just keep practicing and you will get it.

Do you want to learn more about security and how to test your network security, please go to: http://www.thehost1.com/






No comments:

Post a Comment