Nmap is known as the Swiss army knife of tools in information security and networking. It is perhaps the most used tool by professionals in this field. Although most commonly used for port scanning, it offers a range of different operations that can be performed with it such as a vulnerability scanner, brute force attacker etc. It depends how deep one wants to go down the rabbit hole.
Today we are going to see how Nmap can be used to bypass a firewall.
Firewalls basically work by examining the packets and then dealing with them according to the rules set in it. For example if the rule is set to allow traffic into the network from only a certain IP then the firewall will drop the rest of the traffic from IPs other than the one allowed. Although there are other ways to play with the firewall by selecting which flag to be sent but that’s for another blog and today we shall see how a feature of nmap can be used to spoof another IP.
The power of nmap can be imagined by knowing that a simple command can be used to bypass the firewall. How it works is basically let’s say if the allowed IP on the firewall is 1.2.3.4 and your system’s IP is 5.6.7.8 and you want to scan a system 9.10.11.12. and you want to check if port 80 is open or not, then the command you can use is:
nmap -p 80 9.10.11.12 -D 1.2.3.4
What this will do is that the packets landing on the firewall will have source IP of 1.2.3.4 in the header. Since the firewall has been told to allow the packets from 1.2.3.4, you can get the status of port 80.
One thing that needs to be mentioned is that this command will not change the source IP in ALL of the packets. So the firewall will see some packets coming from 1.2.3.4 and some packets from 5.6.7.8. How ever it serves the purpose of getting information.
We shall look at how we can use nmap for other tasks such as vulnerability scanning or brute forcing in next blog.
waqar ahmed 