1. NMAP supports both MAC, IP address spoofing, follow the command. ip_1
nmap -Pn --spoof-mac Dell target_ip

ip_2

  1. I captured the live packet using wireshark it actually spoofed the MAC address to DELL’S MAC address: ip_3
  2. you can set the option --spoof-mac 0 to let NMAP choose which vendor it wants to choose.
  3. To spoof an IP address during a scan while using Nmap, use the –S command:
sudo nmap -S spoofed_ip -e eth0 target_ip
# sudo nmap -S 192.168.0.1 -e eth0 172.30.1.134

IP spoofing won’t work well, as when the target will try to do Three-way-handshake the TCP SYN-ACK reply will go to the spoofed IP, we will never receive a connection/scan results back.

  1. Use DECOY only for IPs, ip_4
nmap -D DECOY_IP_1,DECOY_IP_2,ME,DECOY_IP_3 target_ip
  • ME : nmap will insert our actual IP in this place among the deocys, cool isn’t it. ip_5

ip_6 Having completed this section, you have learned how to evade detection on a network while performing scanning using Nmap.


performing a stealth scan:

By default, Nmap establishes a TCP 3-way handshake on any open TCP ports found on the target systems. Once the handshake has been established between the attacker system and the target, data packets are exchanged between each host. ip_7

  1. To prevent Three way handshake , we can use nmap's stealth scan. A stealth scan does not establish a full TCP handshake with the target.
      1. The attacker machine tricks the target by sending a TCP SYN packet to a specific port on the target system to determine if the port is open.
    1. Then, the target system will respond with a TCP SYN/ACK packet if the port is open.
    2. Lastly, the attacker will send a TCP RST packet to the target to reset the connection state and terminate the connection.
  2. NMAP stealth scanning using filter -sS
nmap -sS -p80 172.30.1.134

ip_8 wireshark view of SYN -> SYN-ACK -> RST flow ip_9