The article directories

  • Nmap firewall Workaround
    • Sending segmented packets (-f)
    • Limit maximum Transmission Unit (-MTU)
    • Decoy host (‘ -d ‘)
    • Source port spoofing (‘ -g ‘)
    • MAC address spoofing (‘ –spoof- MAC ‘)
      • MAC Address
      • Nmap to use
    • Append random data (‘ –data-length ‘)
    • [设置存活时间\time to live](`–ttl`)
    • Idle IdIe scan (‘ -si ‘)
    • Nmap formatted output
  • The script to use
    • Classification of the script
    • Select and view scripts
    • The script and transfer
    • Script debugging

Nmap firewall Workaround

Although Nmap does not directly provide a way to detect and destroy the firewall, we can use some of the functions of Nmap to disguise and bypass the firewall blockade.

Sending segmented packets (-f)

After the original data packets are sent in segments, the data in each segment is incomplete, which increases the detection difficulty of filtering rules and firewalls. However, note the following:

  1. Some older systems may not properly process subcontracted data, or even cause it to jam.
  2. Nmap on Windows does not support sending segmented scanned packets very well and is best used on pure Linux. (Kali in WSL is completely unable to use segmented packets)

Grammar:Nmap -f targets

Ex. :Nmap -f 129.211.85.3



PS: In order to speed up the scanning speed and reduce the number of scanned packets sent, so that we can check the difference after capturing packets, I used it above-snParameter is used to discover hosts but not scan ports.

Limit maximum Transmission Unit (-MTU)

Maximum Transmission Unit (MTU) : Some servers may have limits on the Maximum size of data service units. In this case, you can use -MTU to subcontract the extra data to avoid being intercepted by rules. The principle of this method is similar to that of segmented packet, except that the data size of subcontracting is set manually. So all of these features of segmented packets are here as well. Note that the value of -MTU must be an integer multiple of 8.

Grammar:Nmap-mtu Specifies the data size target

Ex. :Nmap - 16 129.211.85.3 mtu

Decoy host (-D)

As I mentioned in the previous blog, nmap only active scan, so every time when we scan the target host are likely to produce a record, in order to avoid being host will find us and our IP for the blockade, we can use the bait host, forged together multiple host sends a request, that even if the target host know someone in the scan it, but it does I don’t know which mainframe is scanning it. But there’s a caveat

  1. In version detection (-SV) and TCP connection scanning (-sT), cannot use the decoy host.
  2. Decoy scanning is useful only if there are many hosts in the same network, but if there are only two hosts, using decoy hosts is meaningless.
  3. Using too many lures does not make much sense, but will cause inaccurate scan results. Generally, use about ten lures, and it is best to put the host IP after the sixth position, because many commonly used port scan detectors will not report the IP after the sixth position.

We can specify the decoy IP of the decoy hostNamp -d decoy IP, decoy IP... , the host IP destination

Nmap - sn - D 222.222.222.222 111.111.111.111 129.211.85.3



You can also have NMAP generate bait IP automaticallyNmap -d RND: decoy host number target

Nmap-sn -d RND:10 129.211.85.3



Source port spoofing (-g)

Source port deception and bait host completely different, he is not a fake multiple port access, but let’s forge into data from the specified port, if you buy a few giant host should know that they have a firewall, but our individual developers tend to open some port in our easy to use, not only we will in this way, there will be a few more professional products This is the case. For example, a personal firewall will run port 53(DNS) by default, and WindowsXP’s built-in firewall will allow port 88(Kerberos). In the face of such a security hole, NMAP certainly provides us with a corresponding scanning method.

The source port spoofing parameters are-gand--source-port(They do exactly the same thing). As long as you find a port that has been forgotten outside the security check mechanism, you can use source port spoofing for scanning. Most TCP and UDP scans support this parameter.

Usage:Nmap -g camouflages the port target

Nmap -g 3306 -p 80 129.211.85.3

MAC address spoofing (--spoof-mac)

MAC Address

In addition to the fact that the IP may be blocked, our MAC address is also a way for the other party to identify us, so NMAP provides MAC address masquerading technology accordingly. First, let’s look at some rules for MAC addresses,

  1. MAC addresses are six bytes, or 48 bits.

  2. MAC is divided into two segments. The first three bytes are as follows:

    1. The organization Unique Identifier (OUI) is assigned to vendors by IEEE (Institute of Electrical and Electronics Engineers) and contains 24 bits. IEEE guarantees that it does not conflict between manufacturers.

    2. The last two bytes in the first byte of an organization unique identifier (OUI) are:

      1. Individual/Group (I/G) bit. If I/G is 0, it is the MAC address of a device, that is, the unicast address. If I/G is 1, it is a multicast address.
      2. G/L (Global/Local, also known as U/L bit, where U indicates Universal) bit. If G/L is 0, it is the Global management address, which is assigned by IEEE to vendors. If G/L=1, it is the local management address that can be assigned to the device.

  3. The last three bytes are extended unique identifiers (EUIs), which are assigned by the manufacturer to ensure that this identifier is not repeated between devices.

MAC addresses can be used in three ways:

  1. Unicast: Communicates one-to-one with the MAC address of the peer. (Similar: 1-to-1 conversation)
  2. Multicast: One-to-many communication between a group of devices on a LAN. (Similar: meeting of a group of people)
  3. Broadcast: no need to know each other’s MAC, the LAN all address communication. (Similar: Shouting in the street with the loudspeaker: Wenzhou, Zhejiang, Wenzhou, Zhejiang, the largest leather factory has closed down…)



    We learn fromYou can query or download MAC addresses issued by IEEE from the IEEE official website..

Nmap to use

Nmap MAC address spoofing technology usage is very much, let me to introduce one by one, but the first thing to know is that we use MAC address spoofing technology will make the host found failure, so if we want to use the MAC address need write – Pn parameter, this parameter can be manually set the target host to active host, skip the host discovery phase.

  1. Parameters:0. This is probably the most used parameter, and it will automatically generate a random MAC address for us.

    Such as:Nmap-pn --spoof- MAC 0 129.211.85.3
  2. Parameters:12 digits (hexadecimal, even, groups of two, separated by colons). Specify MAC addresses manually, preferably if you know the MAC address rules well, otherwise, don’t write them yourself. Can take advantage of someAn online MAC address generatorGenerates the MAC address of the desired type.

    Such as:Nmap-pn --spoof- MAC C0:75:C8:07:2a :16 129.211.85.3
  3. Parameters:Six digits (hexadecimal). Specifying an organization Unique Identifier (OUI) lets NMAP automatically generate an extended unique identifier. Here’s what I usedB8:C3:85It is the unique identifier of huawei MAC organization (OUI).

    Such as:Nmap-pn --spoof- MAC B8:C3:85 129.211.85.3
  4. Parameters:Manufacturer's name. Use the MAC address of the specified vendor. However, because the vendor name here is strictly case sensitive, it is not very convenient to use.

    Such as:Nmap-pn --spoof- MAC Apple 129.211.85.3



    PS: Do not use the MAC address spoofing function on a LAN (on the same network segment as the target host). The MAC address is used to search for the target host on the LAN. If the MAC address is changed, the communication with the target host cannot be established.

Additional random data (--data-length)

By default,Nmap sends empty data packets, which are intercepted by some security detection mechanisms. To avoid such interception,Nmap provides the function of filling random data. Note, however, that this option slows down many pings and port scans. Usage: nmap –data-length Indicates the data length target nmap-sn –data-length 50 152.32.251.110

[Time to Live](--ttl)

Time-to-live domain Refers to the number of hops that can survive to prevent loops. Every time we send a packet through a host that normally uses TCP/IP,ttlI’m going to subtract one ifttlReduced to zero, our packet is discarded and returns a failure message to our host.

Usage:Nmap -- TTL quantity target

If the hop count is too low, the TTL may be reduced to zero before our packet reaches the destination host. As follows:

Nmap-sn-ttl 10 152.32.251.110



Using TTL technology, we can detect how many hops have passed between our host and the target host.

Idle IdIe scan (-sI)

This scan is one of the most complex scanning methods currently available, and it is also one of the most hidden. The detailed scanning principles can be found on the Nmap website. For idle scanning to be completely invisible, carrying the (-PN) parameter is necessary because ping packets are sent from the attacker’s physical address to the target. In addition, we also need to find the host that has no firewall in the zombie host, and ensure that there is little communication between us and the zombie host, otherwise the accuracy of the results may be affected. Although the principle of idle scan technology is very subtle, but because of too strict use conditions, we will rarely really use it. I do not have a host with firewall off at present. I tried to use Windows and Linux hosts without firewall off, but they cannot act as zombie hosts, so I will not make a practical demonstration here. Nmap-si Zombie host IP address: port number -pn Target host

Nmap formatted output

If we need to save the results after nMAP scan, we can use several methods provided by NMAP:

  1. Save as a text file-oN: Nmap-sn-on Specifies the "Save path" target

    Such as:Nmap-sn-on "C: netsecurity-related software nmap Saved data text file.txt "152.32.251.110

  2. Save as an XML file-oX: Nmap-sn-ox "Save Path" target
  3. Save the file as grep-oG: Nmap-sn-og "Save path" target

In addition, we can use nmap Visualization (Zenmap) save functionality

The script to use

Nmap extension script: NSE(Nmap Scripts Nmap extension script is based on lua language development, internal encapsulation of the LuA interpreter, so if we want to write a Nmap extension script, we need to use Lua development, but you don’t know Lua don’t worry,Nmap Hundreds of scripts have been written for our daily use. Nmap by default stores scripts in the \Nmap\scripts path.

Classification of the script

classification describe
auth Scripts that handle authentication certificates (bypassing authentication)
broadcast Check the status of more services on the LAN, such as DHCP, DNS, and SQLServer
brute Provides brute force cracking for common applications, such as HTTP or SNMP
default The -sc or -a option provides the default script scanning capability
discovery Perform more information on the network, such as SMB enumeration and SNMP query
dos Denial of service attacks
exploit Exploit known vulnerabilities to break into systems
external Utilize a third-party database or resource, such as whoIS parsing
fuzzer Obscure test scripts, send abnormal packets to target machines, detect potential vulnerabilities
intrusive An intrusive script may cause a heavy burden or even crash on the target network, so it may cause logging or masking of the IDS/IPS of the target network
malware Detect whether the target is infected with viruses and open a back door
safe This class is the opposite of intrusive and belongs to security scripts
version Scripts responsible for enhancing service and Version Detection capabilities
vuln Check whether the target machine has a common Vulnerability (Vulnerability), such as MS08_067

Select and view scripts

If you don’t know what the scripts are and what they do, you can view the scripts and their instructions in the Zenmap configuration editor



There are multiple ways we can use scripts on the command line,- the script < filename > | < category > | < directory > | < expression >

The file name:Nmap - HTTP - git script 152.32.251.110(Used to discover Git services)

Directory:Nmap --script I: netsecurity \ nmap \scripts 152.32.251.110

Category: Default (default) categories.Nmap - script default 152.32.251.110



By default,default) category contains:

  1. banner.NSE: bannerLiterally translated as banner, flag, it refers to the target software developer, software name, version, service type and other information, can be regarded as the user portrait of the server information. This script is used to gather this information about the server.
  2. Broadcast-ping. NSE: this script uses broadcast ping to discover hosts on the network.
  3. Dns-recursion.NSE: Indicates whether the DNS server allows third-party query. (DNS amplification attacks are possible if allowed)
  4. Upnp-info. NSE: Attempts to extract system information through UPNP.
  5. Firewalk.NSE: attempts to discover firewall devices using the TTL expiration mechanism of the IP protocol.

There are many more that I won’t go through, but if you want to see all the scripts for each type, you can enter the script type in the configuration editor to see all the scripts that are automatically checked



In addition,nmap scripts also support < expressions >, such as wildcards*, and operatorsnot,or,and

For example, you can use nmap –script HTTP -* for all HTTP – scripts, and nmap –script “HTTP -* and not http-git” for all HTTP – scripts except http-git.

The script and transfer

Parameter transfer:--script-args

In addition, we can also pass the parameter as a file:--script-args-file

Here we usehttp-methodsThe scripthttp.useragentDescription of script parameters



We first try to scan the target using conventional methods without carrying parametersNmap-p80 --script http-methods 114.67.84.105



You’ll find that in the request message, our NMAP honestly tells the other party that we’re getting a scanner to scan youThe user-agent: Mozilla / 5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)\r\nIf we want to emulate real browser access and need to replace the request header, we need to use the pass parameterNmap-p80 --script http-methods --script-args http. userAgent ="Mozilla/5.0 (Windows 10.0; Win64; 114.67.84.105 x64)"



Nmap-p80 --script http-methods --script-args-file I:\ network security \ temporary data \nmap script parameters. TXT 114.67.84.105

Script debugging

If we want to see how scripts work, we don’t have to read the source code, because lua is not popular and it is expensive to learn the source code. However, we can use some debugging parameters to see what the script is doing, what data is being sent and received, and so on.

  1. --script-trace: Trace debugging scripts. Not all scripts output trace debugging information about scripts.
  2. -d[1-9]: Debugging mode, the maximum number, the more detailed debugging information, for example:Nmap --script http-git-d9 152.32.251.110
  3. --packet-trace: Displays all sent and received packets.

Some common NSE scripts in Nmap