Timing Technique The timing technique is one of the best techniques to evade firewalls/IDS. The idea behind this
technique is to send the packets gradually, so they do not end up being detected by firewalls/IDS.
In nmap we can launch a timing scan by specifying the T command followed by a number rang-
ing from 0 to 5. Increasing the values from T0 to T5 would increase the speed of the scan.
◾
T0 —Paranoid
◾
T1 —Sneaky
◾
T2 —Polite
◾
T3 —Normal
◾
T4 —Aggressive
◾
T5 —Insane
Example_We_will_perform_a_sneaky_scan_(T1)_and_analyze_its_behavior_in_wireshark:_nmap_–T1_Wireshark_Output'>Example We will perform a sneaky scan (T1) and analyze its behavior in wireshark:
nmap –T1 Wireshark Output From the wireshark output, you can clearly see the “TCP” packets being sent after a certain
time interval.
Target Enumeration and Port Scanning Techniques ◾
115 Fragmented Packets During fragmentation we split the packets into small chunks making it harder for the IDS to
detect. They can get past some IDS because the IDS would analyze a single fragment but not all
the packets. Therefore they will not find anything suspicious. However, many modern IDS can
rebuild the fragments into a single packet, making them detectable.
Example nmap –f 192.168.15.1
Wireshark Output This output shows us that the packets are divided into 8 bytes of data.
Source Port Scan It is very common for a network administrator to allow traffic from a certain source port. We can
use this to our advantage to bypass badly configured firewalls. Common ports that we can specify
as source are 53, 80, and 21.
