Previous Episode: Service & Version Detection

Episode7of 10

Episode 7: Stealth Operations - Firewall and IDS Evasion

Duration: 1.5 hours

Introduction to Firewall and IDS Evasion

Welcome to the seventh episode of our comprehensive Nmap course! In this module, we'll explore firewall and IDS evasion techniques - advanced methods that allow you to conduct thorough network scans while minimizing detection. These techniques are essential for comprehensive security testing and understanding the limitations of security controls.

In the digital world, sometimes being seen is the difference between success and failure. Security systems are designed to detect scanning—but like a skilled operative, Nmap can move through networks while minimizing its footprint.

This cat-and-mouse game between scanning and detection is a crucial aspect of network security that both attackers and defenders need to understand. By the end of this module, you'll understand both sides of this technical chess match—how detection works and how evasion counters it—essential knowledge for comprehensive security assessment.

In this module, you'll learn:

How firewalls and IDS detect scanning activities
Techniques for reducing the visibility of your Nmap scans
How to manipulate packet attributes to bypass detection
Timing optimization to avoid triggering rate-based alerts
Methods to obscure the source of scanning activities

Ethical Considerations

The techniques covered in this module should only be used with proper authorization. Using evasion techniques without permission may violate computer crime laws and organizational policies. These skills are presented for legitimate security testing and educational purposes only.

Detection Mechanisms Explained

Before we can discuss evasion, we need to understand how scanning is detected. Network security systems use several mechanisms:

Pattern Recognition

Signature-based detection of known scan patterns
Recognition of specific packet sequences
Identification of unusual option combinations

Security devices maintain databases of known scan patterns and alert when they detect matching traffic.

Volumetric Detection

Monitoring connection attempt rates
Tracking failed connection ratios
Alerting on threshold violations

When too many connection attempts occur in a short period, especially if many fail, security systems raise alerts.

Behavioral Analysis

Identifying abnormal connection patterns
Detecting unusual protocol usage
Recognizing incomplete handshakes

Modern security systems build baselines of normal behavior and flag deviations from these patterns.

Stateful Inspection

Tracking connection states
Identifying protocol violations
Detecting abnormal session behaviors

Firewalls and IDS systems track the state of connections and alert on violations of expected protocol behavior.

Types of Firewalls and Their Detection Methods

Different types of firewalls detect scans in different ways:

Packet-Filtering Firewalls

Basic firewalls that check packet headers against ruleset. They can block specific ports but typically don't inspect packet content.

Stateful Firewalls

Track the state of active connections and analyze packet contents. Can detect improper TCP flag sequences used in port scans.

Next-Generation Firewalls

Combine traditional firewall functions with IDS/IPS features. Analyze traffic at the application layer and can detect sophisticated scans.

Web Application Firewalls

Specialized for web traffic. Focus on HTTP/HTTPS connections and protecting web-based applications.

Evasion Strategy Overview

Effective evasion isn't about a single technique but a comprehensive strategy addressing multiple detection vectors:

Timing Modifications

Slowing scan rates to avoid threshold alerts
Introducing randomized delays
Distributing scanning over longer periods

Packet Manipulation

Fragmenting packets to bypass pattern matching
Using uncommon flag combinations
Manipulating packet headers

Source Obfuscation

Using decoy addresses to hide true source
Scanning from multiple source addresses
Manipulating source port information

Target Distribution

Scanning hosts in random order
Distributing port scans across multiple targets
Avoiding predictable scan patterns

The right combination depends on your specific goals and the security controls you're testing. Let's explore each approach in detail.

Timing and Performance Optimization

Nmap's timing options allow you to control the aggressiveness and speed of your scans. This is crucial for both avoiding detection and optimizing scan duration.

Timing Templates

Nmap offers six built-in timing templates, from the stealthiest (T0) to the most aggressive (T5):

T0 (Paranoid)

Extremely slow scan that waits 5 minutes between sending packets. Designed to evade even the most sophisticated IDS.

sudo nmap -T0 192.168.1.1

T1 (Sneaky)

Very slow scan that waits 15 seconds between packets. Still very stealthy but more practical than T0.

sudo nmap -T1 192.168.1.1

T2 (Polite)

Slows down the scan to use less bandwidth and target machine resources. Waits 0.4 seconds between packets.

sudo nmap -T2 192.168.1.1

T3 (Normal)

The default timing template. Balances speed with reliability. No deliberate delays.

sudo nmap -T3 192.168.1.1

T4 (Aggressive)

Speeds up scans by assuming you're on a reliable, fast network. May overwhelm slow hosts.

sudo nmap -T4 192.168.1.1

T5 (Insane)

Prioritizes speed over accuracy. Sacrifices comprehensive results for faster scanning. Easy to detect.

sudo nmap -T5 192.168.1.1

Fine-Tuning Timing Parameters

For more precise control, you can adjust individual timing parameters:

--min-rate <number>: Minimum number of packets sent per second
--max-rate <number>: Maximum number of packets sent per second
--min-rtt-timeout <time>: Minimum round-trip time timeout
--max-rtt-timeout <time>: Maximum round-trip time timeout
--initial-rtt-timeout <time>: Initial round-trip time timeout
--max-retries <number>: Maximum number of port scan probe retransmissions
--host-timeout <time>: Give up on target after this long
--scan-delay <time>: Minimum time between probes
--max-scan-delay <time>: Maximum time between probes
--min-parallelism <number>: Minimum number of parallel probes
--max-parallelism <number>: Maximum number of parallel probes

Here's an example of fine-tuned timing parameters for a stealthy scan:

sudo nmap --max-rate 10 --scan-delay 1s --max-retries 1 --host-timeout 30m 192.168.1.1

And for a fast scan that emphasizes speed over reliability:

sudo nmap --min-rate 300 --max-retries 2 --min-parallelism 50 192.168.1.1

Packet Manipulation Techniques

Packet manipulation techniques modify how packets are constructed and sent to evade pattern-based detection:

Fragmentation

Packet fragmentation splits TCP headers across multiple IP packets, which can bypass some inspection systems:

# Fragment packets
sudo nmap -f 192.168.1.1

# Use smaller fragments
sudo nmap -ff 192.168.1.1

# Specify custom MTU (must be multiple of 8)
sudo nmap --mtu 24 192.168.1.1

Fragmentation works because some inspection systems don't reassemble fragments before analyzing them.

Decoys

Decoy scanning generates noise by sending packets from spoofed IP addresses along with your real address:

# Use random decoys
sudo nmap -D RND:10 192.168.1.1

# Specify decoy addresses
sudo nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.1

# Use all decoys (your IP not included in scan)
sudo nmap -D 10.0.0.1,10.0.0.2 -S 10.0.0.3 192.168.1.1

This technique makes it harder to identify the true source of the scan among the decoy traffic.

Data Length Manipulation

Changing the length of packets can help evade pattern-based detection:

# Add random data to packets
sudo nmap --data-length 25 192.168.1.1

This adds random data to sent packets, making them look less like standard Nmap packets.

Custom Packet Crafting

For maximum control, you can specify exactly what flags to use:

# Custom TCP scan with SYN-FIN flags
sudo nmap --scanflags SYNFIN 192.168.1.1

# Null scan (no flags)
sudo nmap -sN 192.168.1.1

# FIN scan
sudo nmap -sF 192.168.1.1

# Xmas scan (FIN, PSH, URG flags)
sudo nmap -sX 192.168.1.1

These unusual flag combinations may bypass security devices configured to look only for standard scan types.

Evading Firewalls and IDS

Nmap offers various techniques to evade firewall and IDS detection. Let's explore some of these methods:

Fragmentation

Packet fragmentation splits TCP headers across multiple packets, which can bypass packet inspection systems that don't reassemble fragments before analyzing them.

sudo nmap -f 192.168.1.1

For greater fragmentation, use -ff to use smaller fragments:

sudo nmap -ff 192.168.1.1

Alternatively, you can specify a custom MTU (Maximum Transmission Unit) with --mtu. The value must be a multiple of 8:

sudo nmap --mtu 16 192.168.1.1

Decoy Scans

Decoy scanning creates noise by making it appear that the scan is coming from multiple source IPs, obscuring the true source among the decoys:

sudo nmap -D 10.0.0.1,10.0.0.2,10.0.0.3,ME 192.168.1.1

This makes the scan appear to come from 10.0.0.1, 10.0.0.2, 10.0.0.3, and your actual IP (ME). You can also generate random decoys:

sudo nmap -D RND:10 192.168.1.1

This generates 10 random IP addresses as decoys.

Important Decoy Considerations

When using decoys, ensure that the decoy hosts are up and reachable. If they're not, it could slow down your scan or cause it to fail. Also, be careful not to implicate innocent third parties in your scanning activities.

Spoofing and Proxying

You can route your Nmap scans through proxies or spoof your MAC address:

MAC Spoofing:
```
sudo nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1
```
You can also use --spoof-mac 0 for a random MAC, or --spoof-mac Apple,--spoof-mac Cisco, etc., for vendor-specific MACs.
Proxying through Tor:
First, ensure Tor is installed and running, then use ProxyChains with Nmap:
```
sudo proxychains nmap -sT -Pn 192.168.1.1
```
Note that only TCP connect scans (-sT) work reliably through proxies.

Data Length Manipulation

Some firewalls and IDS inspect the size of packets. By appending random data to packets, you may evade signature-based detection:

sudo nmap --data-length 200 192.168.1.1

This adds random data to sent packets, making them look less like typical scan packets.

Randomizing Host Order

When scanning multiple hosts, randomizing the order can make the scan pattern less obvious:

sudo nmap --randomize-hosts 192.168.1.0/24

Idle Scans

The idle scan (-sI) is one of Nmap's most sophisticated techniques. It uses a zombie host to perform the scan, making the scan completely blind:

sudo nmap -sI zombie_host:port target_host

This technique requires an idle "zombie" host with predictable IP ID sequences, which is increasingly rare on modern systems.

Source Port Manipulation

Many firewalls have rules that allow traffic from specific source ports, particularly those associated with common services. By manipulating the source port, you can sometimes bypass these filters.

Common Trusted Ports

Some commonly trusted source ports include:

Port 20: FTP data
Port 53: DNS
Port 80: HTTP
Port 443: HTTPS

Using Source Port in Nmap

To specify a source port:

sudo nmap --source-port 53 192.168.1.1

This example uses DNS (port 53) as the source port, which is often allowed through firewalls for DNS queries.

Combining with a SYN scan for better results:

sudo nmap -sS --source-port 443 192.168.1.1

Real-World Application

In penetration testing engagements, trying different source ports can sometimes reveal filtering inconsistencies. If a firewall rule allows outbound HTTP traffic, using port 80 as your source port might allow your scan through the firewall, revealing information that would otherwise be hidden.

Advanced Evasion Techniques

Idle Scanning

Idle scanning uses a zombie host to perform a completely blind scan:

# Basic idle scan
sudo nmap -sI zombie_host.philocyber.com 192.168.1.1

# Idle scan with specific port on zombie
sudo nmap -sI zombie_host.philocyber.com:80 192.168.1.1

This technique bounces scans off an idle "zombie" host, making the scan appear to come from that host instead of yours.

Requirements for a good zombie host:

Must be idle (minimal traffic)
Must use predictable IP ID sequences
Must be reachable from both you and the target

FTP Bounce Scanning

Some FTP servers allow "bounce" attacks that can be used for scanning:

# FTP bounce scan
sudo nmap -b username:password@ftp.philocyber.com 192.168.1.1

This technique is rarely useful today as most FTP servers disable this functionality.

Comprehensive Evasion Strategies

For maximum evasion, combine multiple techniques based on the specific environment:

# Comprehensive stealth scan
sudo nmap -sS -T1 -f --randomize-hosts --data-length 15 \
  --max-retries 1 --max-scan-delay 500ms 192.168.1.0/24

This approach:

Uses SYN scanning (-sS)
Uses very slow timing (-T1)
Fragments packets (-f)
Randomizes host scan order
Adds random data to packets
Limits retransmissions
Adds random delays

Key Takeaways

Evasion techniques must be used ethically and with proper authorization
Effective evasion combines multiple approaches: timing, packet manipulation, and source obfuscation
Different security controls require different evasion strategies
There's always a trade-off between speed, thoroughness, and stealth
Understanding evasion techniques helps improve detection capabilities
Regular testing with evasion techniques helps validate security controls
No evasion technique is perfect; defense-in-depth is essential

Next Steps

In the next episode, we'll explore:

The Nmap Scripting Engine (NSE)
Extending Nmap's capabilities with custom scripts
Automating complex scanning tasks
Using NSE for vulnerability detection
Creating your own custom scripts

Additional Resources

Official Nmap Evasion Documentation

Comprehensive guide to all Nmap's evasion features directly from the source

Nmap Network Scanning: Firewall/IDS Evasion

Detailed chapter from the Nmap book on evasion and spoofing techniques

IDS Evasion Techniques and Tactics

Focused exploration of IDS evasion methods with practical examples

Firewall and IDS Penetration Testing

Testing methodologies for evaluating firewall effectiveness

Video Demonstration

Note: Use this video as a visual guide to complement the written material.

Knowledge Check Quiz

Knowledge Check

1. Which Nmap timing template is the most aggressive and fastest?

2. What does the "-f" option do in Nmap?

3. Which command would you use to make your scan appear to come from multiple source IPs?

4. When would you use the "--source-port 53" option?

5. Which Nmap option outputs scan results in multiple formats simultaneously?

Continue to Episode 8: Output Formats and Data Analysis

Loading courses...

Please wait while we prepare your learning journey.

Previous Episode: Service & Version Detection

Episode7of 10

Next Episode: Extending Your Powers

Episode 7: Stealth Operations - Firewall and IDS Evasion

Duration: 1.5 hours

Introduction to Firewall and IDS Evasion

In this module, you'll learn:

How firewalls and IDS detect scanning activities
Techniques for reducing the visibility of your Nmap scans
How to manipulate packet attributes to bypass detection
Timing optimization to avoid triggering rate-based alerts
Methods to obscure the source of scanning activities

Ethical Considerations

Detection Mechanisms Explained

Before we can discuss evasion, we need to understand how scanning is detected. Network security systems use several mechanisms:

Pattern Recognition

Signature-based detection of known scan patterns
Recognition of specific packet sequences
Identification of unusual option combinations

Security devices maintain databases of known scan patterns and alert when they detect matching traffic.

Volumetric Detection

Monitoring connection attempt rates
Tracking failed connection ratios
Alerting on threshold violations

When too many connection attempts occur in a short period, especially if many fail, security systems raise alerts.

Behavioral Analysis

Identifying abnormal connection patterns
Detecting unusual protocol usage
Recognizing incomplete handshakes

Modern security systems build baselines of normal behavior and flag deviations from these patterns.

Stateful Inspection

Tracking connection states
Identifying protocol violations
Detecting abnormal session behaviors

Firewalls and IDS systems track the state of connections and alert on violations of expected protocol behavior.

Types of Firewalls and Their Detection Methods

Different types of firewalls detect scans in different ways:

Packet-Filtering Firewalls

Basic firewalls that check packet headers against ruleset. They can block specific ports but typically don't inspect packet content.

Stateful Firewalls

Track the state of active connections and analyze packet contents. Can detect improper TCP flag sequences used in port scans.

Next-Generation Firewalls

Combine traditional firewall functions with IDS/IPS features. Analyze traffic at the application layer and can detect sophisticated scans.

Web Application Firewalls

Specialized for web traffic. Focus on HTTP/HTTPS connections and protecting web-based applications.

Evasion Strategy Overview

Effective evasion isn't about a single technique but a comprehensive strategy addressing multiple detection vectors:

Timing Modifications

Slowing scan rates to avoid threshold alerts
Introducing randomized delays
Distributing scanning over longer periods

Packet Manipulation

Fragmenting packets to bypass pattern matching
Using uncommon flag combinations
Manipulating packet headers

Source Obfuscation

Using decoy addresses to hide true source
Scanning from multiple source addresses
Manipulating source port information

Target Distribution

Scanning hosts in random order
Distributing port scans across multiple targets
Avoiding predictable scan patterns

The right combination depends on your specific goals and the security controls you're testing. Let's explore each approach in detail.

Timing and Performance Optimization

Nmap's timing options allow you to control the aggressiveness and speed of your scans. This is crucial for both avoiding detection and optimizing scan duration.

Timing Templates

Nmap offers six built-in timing templates, from the stealthiest (T0) to the most aggressive (T5):

T0 (Paranoid)

Extremely slow scan that waits 5 minutes between sending packets. Designed to evade even the most sophisticated IDS.

sudo nmap -T0 192.168.1.1

T1 (Sneaky)

Very slow scan that waits 15 seconds between packets. Still very stealthy but more practical than T0.

sudo nmap -T1 192.168.1.1

T2 (Polite)

Slows down the scan to use less bandwidth and target machine resources. Waits 0.4 seconds between packets.

sudo nmap -T2 192.168.1.1

T3 (Normal)

The default timing template. Balances speed with reliability. No deliberate delays.

sudo nmap -T3 192.168.1.1

T4 (Aggressive)

Speeds up scans by assuming you're on a reliable, fast network. May overwhelm slow hosts.

sudo nmap -T4 192.168.1.1

T5 (Insane)

Prioritizes speed over accuracy. Sacrifices comprehensive results for faster scanning. Easy to detect.

sudo nmap -T5 192.168.1.1

Fine-Tuning Timing Parameters

For more precise control, you can adjust individual timing parameters:

--min-rate <number>: Minimum number of packets sent per second
--max-rate <number>: Maximum number of packets sent per second
--min-rtt-timeout <time>: Minimum round-trip time timeout
--max-rtt-timeout <time>: Maximum round-trip time timeout
--initial-rtt-timeout <time>: Initial round-trip time timeout
--max-retries <number>: Maximum number of port scan probe retransmissions
--host-timeout <time>: Give up on target after this long
--scan-delay <time>: Minimum time between probes
--max-scan-delay <time>: Maximum time between probes
--min-parallelism <number>: Minimum number of parallel probes
--max-parallelism <number>: Maximum number of parallel probes

Here's an example of fine-tuned timing parameters for a stealthy scan:

sudo nmap --max-rate 10 --scan-delay 1s --max-retries 1 --host-timeout 30m 192.168.1.1

And for a fast scan that emphasizes speed over reliability:

sudo nmap --min-rate 300 --max-retries 2 --min-parallelism 50 192.168.1.1

Packet Manipulation Techniques

Packet manipulation techniques modify how packets are constructed and sent to evade pattern-based detection:

Fragmentation

Packet fragmentation splits TCP headers across multiple IP packets, which can bypass some inspection systems:

# Fragment packets
sudo nmap -f 192.168.1.1

# Use smaller fragments
sudo nmap -ff 192.168.1.1

# Specify custom MTU (must be multiple of 8)
sudo nmap --mtu 24 192.168.1.1

Fragmentation works because some inspection systems don't reassemble fragments before analyzing them.

Decoys

Decoy scanning generates noise by sending packets from spoofed IP addresses along with your real address:

# Use random decoys
sudo nmap -D RND:10 192.168.1.1

# Specify decoy addresses
sudo nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.1

# Use all decoys (your IP not included in scan)
sudo nmap -D 10.0.0.1,10.0.0.2 -S 10.0.0.3 192.168.1.1

This technique makes it harder to identify the true source of the scan among the decoy traffic.

Data Length Manipulation

Changing the length of packets can help evade pattern-based detection:

# Add random data to packets
sudo nmap --data-length 25 192.168.1.1

This adds random data to sent packets, making them look less like standard Nmap packets.

Custom Packet Crafting

For maximum control, you can specify exactly what flags to use:

# Custom TCP scan with SYN-FIN flags
sudo nmap --scanflags SYNFIN 192.168.1.1

# Null scan (no flags)
sudo nmap -sN 192.168.1.1

# FIN scan
sudo nmap -sF 192.168.1.1

# Xmas scan (FIN, PSH, URG flags)
sudo nmap -sX 192.168.1.1

These unusual flag combinations may bypass security devices configured to look only for standard scan types.

Evading Firewalls and IDS

Nmap offers various techniques to evade firewall and IDS detection. Let's explore some of these methods:

Fragmentation

Packet fragmentation splits TCP headers across multiple packets, which can bypass packet inspection systems that don't reassemble fragments before analyzing them.

sudo nmap -f 192.168.1.1

For greater fragmentation, use -ff to use smaller fragments:

sudo nmap -ff 192.168.1.1

Alternatively, you can specify a custom MTU (Maximum Transmission Unit) with --mtu. The value must be a multiple of 8:

sudo nmap --mtu 16 192.168.1.1

Decoy Scans

Decoy scanning creates noise by making it appear that the scan is coming from multiple source IPs, obscuring the true source among the decoys:

sudo nmap -D 10.0.0.1,10.0.0.2,10.0.0.3,ME 192.168.1.1

This makes the scan appear to come from 10.0.0.1, 10.0.0.2, 10.0.0.3, and your actual IP (ME). You can also generate random decoys:

sudo nmap -D RND:10 192.168.1.1

This generates 10 random IP addresses as decoys.

Important Decoy Considerations

Spoofing and Proxying

You can route your Nmap scans through proxies or spoof your MAC address:

MAC Spoofing:
```
sudo nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1
```
You can also use --spoof-mac 0 for a random MAC, or --spoof-mac Apple,--spoof-mac Cisco, etc., for vendor-specific MACs.
Proxying through Tor:
First, ensure Tor is installed and running, then use ProxyChains with Nmap:
```
sudo proxychains nmap -sT -Pn 192.168.1.1
```
Note that only TCP connect scans (-sT) work reliably through proxies.

Data Length Manipulation

Some firewalls and IDS inspect the size of packets. By appending random data to packets, you may evade signature-based detection:

sudo nmap --data-length 200 192.168.1.1

This adds random data to sent packets, making them look less like typical scan packets.

Randomizing Host Order

When scanning multiple hosts, randomizing the order can make the scan pattern less obvious:

sudo nmap --randomize-hosts 192.168.1.0/24

Idle Scans

The idle scan (-sI) is one of Nmap's most sophisticated techniques. It uses a zombie host to perform the scan, making the scan completely blind:

sudo nmap -sI zombie_host:port target_host

This technique requires an idle "zombie" host with predictable IP ID sequences, which is increasingly rare on modern systems.

Source Port Manipulation

Many firewalls have rules that allow traffic from specific source ports, particularly those associated with common services. By manipulating the source port, you can sometimes bypass these filters.

Common Trusted Ports

Some commonly trusted source ports include:

Port 20: FTP data
Port 53: DNS
Port 80: HTTP
Port 443: HTTPS

Using Source Port in Nmap

To specify a source port:

sudo nmap --source-port 53 192.168.1.1

This example uses DNS (port 53) as the source port, which is often allowed through firewalls for DNS queries.

Combining with a SYN scan for better results:

sudo nmap -sS --source-port 443 192.168.1.1

Real-World Application

Advanced Evasion Techniques

Idle Scanning

Idle scanning uses a zombie host to perform a completely blind scan:

# Basic idle scan
sudo nmap -sI zombie_host.philocyber.com 192.168.1.1

# Idle scan with specific port on zombie
sudo nmap -sI zombie_host.philocyber.com:80 192.168.1.1

This technique bounces scans off an idle "zombie" host, making the scan appear to come from that host instead of yours.

Requirements for a good zombie host:

Must be idle (minimal traffic)
Must use predictable IP ID sequences
Must be reachable from both you and the target

FTP Bounce Scanning

Some FTP servers allow "bounce" attacks that can be used for scanning:

# FTP bounce scan
sudo nmap -b username:password@ftp.philocyber.com 192.168.1.1

This technique is rarely useful today as most FTP servers disable this functionality.

Comprehensive Evasion Strategies

For maximum evasion, combine multiple techniques based on the specific environment:

# Comprehensive stealth scan
sudo nmap -sS -T1 -f --randomize-hosts --data-length 15 \
  --max-retries 1 --max-scan-delay 500ms 192.168.1.0/24

This approach:

Uses SYN scanning (-sS)
Uses very slow timing (-T1)
Fragments packets (-f)
Randomizes host scan order
Adds random data to packets
Limits retransmissions
Adds random delays

Key Takeaways

Evasion techniques must be used ethically and with proper authorization
Effective evasion combines multiple approaches: timing, packet manipulation, and source obfuscation
Different security controls require different evasion strategies
There's always a trade-off between speed, thoroughness, and stealth
Understanding evasion techniques helps improve detection capabilities
Regular testing with evasion techniques helps validate security controls
No evasion technique is perfect; defense-in-depth is essential

Next Steps

In the next episode, we'll explore:

The Nmap Scripting Engine (NSE)
Extending Nmap's capabilities with custom scripts
Automating complex scanning tasks
Using NSE for vulnerability detection
Creating your own custom scripts

Video Demonstration

Note: Use this video as a visual guide to complement the written material.

Knowledge Check Quiz

Knowledge Check

1. Which Nmap timing template is the most aggressive and fastest?

2. What does the "-f" option do in Nmap?

3. Which command would you use to make your scan appear to come from multiple source IPs?

4. When would you use the "--source-port 53" option?

5. Which Nmap option outputs scan results in multiple formats simultaneously?

Continue to Episode 8: Output Formats and Data Analysis