Name: Piyush Jain

Course: Ethical Hacking Course- CEHv 11

Mobile No: 9886137127
Email-Id: jpiyush063@gmail.com
Batch Date: 5th July
Project Name: CEH Module 3: Assignment 3

1|Page
 CEH Module 3 Assignment 3

1) Scan beyond IDS/firewall using various evasion techniques

Ans) Here, we will use Nmap to evade IDS/firewall using various techinques such as
packet fargementation, source port manipulation, MTU and IP address decoy.

 Turn on the windows 10 and linux virutal machines

Note: In this lab, we are using the linux virtual machine as a host and the
windows 10 virtual machines as a target machine

 N windows 10 virtiual machines, log in with the creditials

 Navigate to Control panel -> System and security -> windows defender firewall
 Turn windows defender firewall on or off, enable windows defender
Firewall and click ok, as shown in the screenshot.

As we see below our scan was locked by windows defender

2|Page
Using packet fragements to bypass defender

Packet fragementation refers to the spilitng of a probe into serval smaller pcakets
(fragments) while sending it to network.

Runing the scan again, nmap -f <target IP address> (-f switch is used to spilt the IP Packet
into tiny fragement packets) and we can now see the open ports and the services.

Also another techinques is to specify the number of Maximum transmission unit (MTU).
Using Mtu, samaller packets are transmitted instead of sending one complete packet at a
time. This techinque evades the filtering and detection mechansim enabled in the target
Machine.

nmap -mtu8 (TRAGET IP>, (mtu specifies the number of maximum transmission unit)
here 8 bytes of packets

Source port manipulation

Source port manipulation refers to the manipulating actual port number with common port
numbers to evade IDS/firewall.this is useful when the firewall is confirgued to allow packets
From well know ports like HTTP, DNS, FTP etc.

nmap -g 80 <traget IP>, (-g or –source port option to perform source port manipulation)

3|Page
Now, type nmap -D RND:10 (Target IP Address) and press enter note. In this command -D
Perform as decoy scan and RND geneartes a random non reserved IP Address.
Note: The IP address decoy techinque refers to generating or manually specfiying IP
addressess of decoy to evade IDS/Firewall. This techique makes it diffcult for the IDS/firewall
to determine which IP address was actually scanning the network and which IP addresses
were decoy. By using this command, Nmap automatically generates a random number of
decoys for the scan and randomly position IP address between decoy IP address.

Now, click CEHv11 Windows 10 to switch to the windows 10 machine (target machine) and
obesreve packets captured by wireshark, which displays the multiple IP addresses in the
source section, as shown in the screenshot

This conculde the demonstration of evading IDS and firewall using various evasion
techinques in Nmap.

4|Page
 2) Create custom packets using nmap to scan beyond the IDS/firewall
Ans) Here we will use Nmap to perform various scanning techinques such as appending
Custom binary data, appending a custom string, appeding random data, randoming host
order, and sending bad checksums to scan the target host beyond the IDS/firewall.

Note: In this task, we are using the linux the windows 10 (10.10.1.10) machine as host
Machine and the windows server 2016 (10.10.1.10) machine as a target machine

Click on windows 10 to switch to the windows 10 machine and launch Linux

The Linux appears. In the command field, type the command nmap (Target IP Address)-
Data 0xdeadbeef and click scan note: Nmap uses -data (hex string) (here, 0xdeadbeef) to
send the binary data (o’s and 1’s) as play load in the sent packets to scan beyond firewalls.
The scan results appear, displaying all open TCP ports and server running on the target
machine, as shown in the screenshot.

In the command field, type the command nmap (Target IP Address) -data – string “Ph34r my
l33t skiils” (here target IP address is 10.10.1.16) and click scan note: Nmap uses -data string
(string) (here, “Ph34r my l33t skills”) to send a regular string as payloads in the sent packets
to the traget machine for scanning beyond the firewall

The scan results appear, displaying all open TCP ports and services running on the target
machine, as shown in the screenshot.

5|Page
In the command field, type the command nmap -data length 5 (traget IP Address) (here, the
target IP address is 10.10.1.16) and click scan. Note nmap uses -data length (len) (here 5) to
append the number of random data bytes to the packets sent without any protcol -
specfically payloads.

The scan results appear displaying all open TCP ports and serving runing on the target
machine, as shown in the screenshot.

In the command field, type the command nmap -randomize -hosts (traget IP address) (here,
the target IP address is 10.10.1.16) and click on scan. Note: Nmap uses -randomize-hosts to
scan the number of hosts in the target network in random order scan the intended target
that is beyond the firewall.
The scan results appear, displaying all open TCP ports and services running on the target
machine, as shown in the screenshot.

In the command field, type the command nmap -badsum (Target IP Address) and cliclk on
scan Note: Nmap uses -badsum to send the packets with bad or bogus TCP/UDP chceksum
to the intended target to avoid certain firewall rulesets.

The scan results appear, demonstrating that all ports are filltered, indicating that there is no
response or the packets are dropped, and thus it can be inferred that the system firewall is
configured to verify the packet checksum.

This cocludes the demonstrating of creating custom pakcets using nmap to scan beyond the
IDS/Firewall.

6|Page
7|Page