Whenever a packet is sent from one device to another, the source IP address is included within the header of the packet. This is the default behavior of the TCP/IP protocol stack.

Avoiding detections using decoys:

ev_1 If you want to perform a scan on the target system at 172.30.1.134 and use the decoy feature of Nmap, we can use the –D syntax ev_2

nmap target_ip -D DECOY_IP

More nmap based IDS evasion scans:

nmap -Pn -sV -p80,443 -f{IDS EVASION} --mtu 8 IP_ADDRESS

nmap -Pn -sS -sV -p445,3389 -f --data-length 200 -D{decoy} GATEWAY_IP_FOR_DECOY ATTACKING_IP

nmap -Pn -sS -sV -p445,3389 -f --data-length 200 -g 53 -D(decoy) GATEWAY_IP_FOR_DECOY ATTACKING_IP

COMMAND BRIEFS:

  1. Utilizing fragmented packet so that IDS can’t analyze. MTU → Maximum Transmitted Unit → Data packet size minimum is 8 bytes.
  2. Second command uses the technique of decoy ips. We make the ip look like as if it’s coming from the Gateway itself by giving a decoy ip something like 192.168.0.1 . If we want to specify more than one decoy IP we can do that by seperating the decoy IPs with commas.
  3. We can even change the source port also to look less suspicious because normally a random port will be given for the packet transfer, so to avoid that we can use -g option and then specifying the port number we want to spoof.