Nmap’s firewall evasion techniques are designed to sneak past network defenses by manipulating how packets are constructed and sent, making it harder for firewalls to detect and block scans.
Let’s watch Nmap in action, bypassing a firewall. Imagine we’re trying to scan a target 192.168.1.100 on port 80. A standard SYN scan (nmap -sS 192.168.1.100) might be blocked.
# Standard SYN scan - likely blocked by a firewall
nmap -sS 192.168.1.100
Now, let’s try a fragmented scan. We’ll tell Nmap to break the IP packets into smaller pieces, forcing the firewall to reassemble them before it can inspect the full packet. This often bypasses simple stateful inspection rules.
# Fragmented IP packets - bypasses some firewalls
nmap -f -sS 192.168.1.100
If that doesn’t work, we can try varying the IP fragmentation further. Nmap allows specifying the fragment size. A common technique is to use a small fragment size, like 8 bytes.
# More aggressive fragmentation
nmap -f --mtu 8 -sS 192.168.1.100
The core problem Nmap’s evasion techniques solve is the "stateful inspection" and "signature-based detection" capabilities of modern firewalls. These firewalls look at the entire packet, its context, and compare it against known malicious patterns. By altering packet structure, timing, or content, Nmap can present a scan in a way that bypasses these checks.
Consider a firewall that’s configured to drop packets with unusual TCP flags. Nmap can craft packets with specific flag combinations that might be allowed through while still eliciting a response from the target port. The "Xmas scan" (-sX) is a good example, setting FIN, PSH, and URG flags.
# Xmas scan - sets FIN, PSH, URG flags
nmap -sX -p 80 192.168.1.100
Another method is the "Null scan" (-sN), which sends a packet with no TCP flags set. On most systems, a closed port will respond with a RST, while an open port will ignore it, allowing Nmap to infer the state. Firewalls might not have specific rules to detect or block these "non-standard" flag combinations.
# Null scan - no TCP flags set
nmap -sN -p 80 192.168.1.100
For UDP scans, which are often slower and more easily detected due to the lack of a handshake, Nmap offers a "dummy packet" option (--data-length). This adds arbitrary data to the UDP packet, making it appear more like legitimate traffic and potentially evading simple UDP flood detection or port blocking rules.
# UDP scan with dummy data
nmap -sU --data-length 100 -p 53 192.168.1.100
The "decoys" feature (-D) is also a powerful evasion technique. Instead of just scanning the target, Nmap can send packets that appear to originate from multiple "decoy" IP addresses. This confuses the firewall and any intrusion detection systems (IDS) by creating a flood of traffic from various sources, making it harder to pinpoint the actual scanner. You can specify known decoy IPs or let Nmap choose them.
# Scan with decoys
nmap -sS -D RND:10 192.168.1.100
The most surprising true thing about Nmap’s firewall evasion is that often the most effective techniques rely on exploiting subtle, non-standard behaviors defined in RFCs that firewalls might not strictly enforce, or by simply making the scan look like something else entirely. For example, sending a SYN packet with an ACK flag set (-sS -SF) is a variation that can sometimes get through where a plain SYN is blocked, because the firewall might not expect a SYN packet to have an ACK flag and therefore doesn’t apply the same strict SYN flood prevention rules. The underlying mechanism is that many firewalls have specific rulesets for standard TCP states (SYN, ACK, FIN, RST) and might not have granular enough rules to detect or block packets that slightly deviate from these expected combinations, especially when combined with other evasion methods like fragmentation.
The next challenge you’ll face is dealing with Intrusion Detection/Prevention Systems (IDS/IPS) that go beyond simple packet filtering and analyze traffic patterns and payload content.