How to Bypass a Targets Defenses and Intrusion Prevention Systems in Ethical Hacking

Hello everybody and welcome back. Before we begin with the options for this part of the tutorial I just want to show you the output of the previous scan that we did. As we can see it discovered a port that is different than the port that these three previous scans got us. Which was the port I believe 5357 or something like that which was a TCP port. And instead of that, we got a UDP open port NetBIOS – ns which runs on 137 on our laptop machine.

So you might notice that the UDP scan basically just gives you the output for UDP ports which makes sense. It will basically give you any UDP port which is open. For example it could be this NetBIOS, it could be your DNS or anything that is running over UDP.

This option right here will give you open UDP ports.

So now that we covered that, we covered basically the full three-way TCP handshake. We covered the syn, only the first part of three-way TCP handshake, and we covered the UDP scan.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

Now that we covered all of those options I want to show you how you can avoid some of the defenses that your target might have and how you can avoid your IPS.

So for example, the first thing you might want to do if your target is blocking your Nmap or you can’t get any output, for example, you can try the – sA option. Now, as I said in the previous video – sA is listed where TCP scans are since the ‘A’ stands for ACK which is the last part of three-way TCP handshake.

As you can see right here it is the third option and it stands for ACK.

Now, I deleted the drawing that I did before since it was really bad. Let me just draw it once again.

This is the PC.A and this is the PC.B and from A we want to scan B.

But let’s say you try to perform a three-way TCP handshake. So it goes like this, then this machine sends syn-ack and once again you send ACK right here. This last one is only the ACK.

I really do encourage you to read more about TCP handshakes since this can be a little bit confusing if you don’t know what I am talking about. But basically the method behind this is the – sA, which is only the last part of TCP handshake, can be used to bypass some of the rules of your router.

For example, if there is a rule that allows syn packets only from the inter network. So what I just said is basically let’s say this is some website that will only allow the full three-way TCP handshakes or syn packets which is the first part of the TCP handshake only from the inter network. So basically only from the machines that are on its local network. And you as someone coming from the internet trying to send a syn packet to the machine being outside of your local network, you will get blocked.

And if that rule really exists on the target machine you can trick it by sending only the ACK which is the last part of three-way TCP handshake which will trick the router or the website to think that it is an answer to a previous syn bit set.

So let’s say this router is connected to some of the other devices on its local network. Now, pardon me for my really bad drawing right here, but basically this circle right here is representing the internal network of this machine and it will only accept the three-way handshake or syn bit sets from the machines that are on its local network.

And you as someone coming from the outside trying to send the syn packet will get blocked. So if you only send the ACK packet without sending the previous syn bit set from the TCP packet, it might trick your router to think that this ACK is an answer to a previous syn bit set that some of the local machines sent.

So in order to do that you just type here Nmap – sA and then the IP address of your router.

So basically you use this option if there is the blockage of syn bit set on the target machine.

Now, this is not that common to see so you won’t be needing it that much, but it can happen.

Now, the next thing you might want to specify is the source port that your packets are going from. Now, by default the Nmap sets the port which is your port from which you send the packets to the machine. It can be any port. I believe the Nmap specifies it randomly at the beginning of the scan and it can be a problem in case where the target only allows the packets from the specific ports.

Now, what I mean is let’s say for example, you run an Nmap scan from this machine and it basically uses the port 333 for the outgoing scan which is a randomly assigned port for your machine. But once it gets to the target machine there is a rule on the target machine that this port will only accept packages from the ports for example 80.

So your packages no matter which type of option you specify whether it is the UDP scan, the ACK scan, the syn scan or the full TCP scan, it will get blocked since your packets are not coming from the outgoing port which is port 80.

So in order for you to be able to scan this target you need to specify the port which it allows the packets to come from. So it will usually be some of the known ports which is for example, port 53 for the DNS, port 25, port 80, port 8080. It can be any of those widely known ports but it can also be any other random port, so you will need to find it out by yourself. But once you do find out that by yourself, you can just type here – – source port and then the number of the source port. For example, let’s say the source port is 80 and then we type here the IP address of our target machine.

And as we can see right here the “IP address (0 hosts up)”. Not really sure why that happens. As we can see right here, “Host seems down.” If it is really up, but blocking our ping probes, try – Pn”. So let us just try – Pn which we covered in the previous tutorial, but for some reason it doesn’t want to show us that the host is up.

Let me just see right here if I correctly specified this option – – source port.

I believe it is, but let us check once again where it could be. Now, maybe they changed this option. I thought it was – – source – port and it didn’t give us any error so I believe it still is, but for some reason our host is appearing to be down. But we won’t be really wasting our time on that.

So basically let us recap. You use the – – source – port option when your target is only allowing packets to come from certain ports. For example, as we saw 80.

So let me just write right here – – source – port 192.168.1.8 and let us continue to the next step in order to bypass some of the detection problems which could be the data length.

Now, the Nmap by default sends packets of specific size. I’m not really sure what the size is, but I believe it sends the same sized packets every time. So some of the defenses today have rules to deny packets that are of standard Nmap size. Basically, what that means is that Nmap every time when it sends packets it sends them with the same size and if someone has a rule specified or knows that Nmap exists, it can make a rule that says basically block any packet that is the size of the standard Nmap packet.

Now, to bypass this detection system you can configure different packet sizes with the option – – data – length. So let us try that one out. If we type here Nmap and then – – data – length and we specify for example 50 and we type here the IP address it didn’t give us any error so it means that the syntax of the command is correct.

So this is taking a little bit of time. It should give us the correct output once it finishes. Now, of course you don’t have to specify only this option. Once you scan, you can specify a bunch of options including this one. So you can basically use all of these three for example to combine into a scan which will bypass all of these three detection problems. Which the first one is the blockage of syn bit sets, the second one is blockage of specific ports, and the third one is the blockage of the Nmap standard packet size. So we will cover one more in order to bypass the detection and defense.

Right here we have the output of the scan. As we can see it performed correctly and we have one open port which is TCP and the servers running is wsdapi.

So let us continue on to the next one which would be the spoofing of your MAC address.

Now, long ago one of the first tutorials we covered how to change our MAC address. You can use that as well, but the Nmap gives us its own option to spoof our MAC address. As we can see if we type here Nmap, I believe it will show us the option right here. I am not really sure if it is listed.

Yes, it is right here. We can also see the data length command and the source port.

Let me just try here with – g as it says that it is same as – – source port. It didn’t work for us so let me just type here Nmap – g and then port 80 and then 192.168.1.8.

Let us see if the host is up right now, and it is up. So basically instead of this option – – source port you can use – g then specify the port of course.

So that’s good. I didn’t know that existed, but let us not care about that at the moment. At the moment we want to spoof our MAC address with this command.

As we can see the syntax is – – spoof – mac and then we add the MAC address right here.

You can add other options as well as prefix, vendor name, but we’ll just type here the MAC address. And we can see that the description for this option is ‘Spoof your MAC address’ so let us do that. The source port scan finished so let us just clear the screen and type here nmap – – spoof – mac, I believe that was the option, and you type your MAC address that you want to fake.

So let me just save this and to show you, or let us use the Mac changer. We covered it before. You type here – – show and then the network interface in order to see your current MAC address.

So this is the format of the MAC address. You can see it is divided by a colon and it is consisted from six parts that are basically divided by these colons.

So you can just type here [22:33:44]:5[5:66:77] and we right here type the IP address of our host of our target. And as you can see right here it says ‘Spoofing MAC address [22:33:44]:5[5:66:77] (No registered vendor)’ And, “Host seems down. If it’s really up, but blocking our ping probes try – Pn.”

Now, for some reason it seems that the host is down with that option. It could be because we didn’t really specify these two options, but I doubt really.

We won’t really bother with that right now. I just want you to know about that option. That for example, it is used if this machine right here allows the packets to come only from certain MAC addresses.

It can be used as a black list or as a white list. This machine can have a black list where it blocks some of the MAC addresses and some of those could be yours as well. Or it would have white list where it only allows certain MAC addresses.

Now, most likely it will have a white list where it will allow only trusted devices with their MAC addresses and in order for you to be able to send packets to this machine, you need to spoof the MAC address of a trusted device from this that this target machine has specified in its white list.

And once you do that with the – – spoof – mac option, you will be able to send packets and receive packets from the target machine.

So let us type right here – – spoof – mac and then you basically just type here [33:44:55]:6[6:77]. It doesn’t have to be this MAC address you can basically specify an address you want. And right here you type the IP address of your target or the host name.

So that would be about it for the avoiding defense in IPS. These four things can be useful if your target specified some of the rules in order to block your scans.

But you will find out that rarely targets use any of these rules to prevent you from scanning them. But if it happens you can use these options that we covered in this video. Now, in the next video I will show you what are Nmap scripts, how to get to them and how to use them. So I hope you are enjoying this tutorial and I hope I see you in the next one bye.

Final Words from Jerry Banfield.

Wow. You are one of the only people that made it all the way to the end. Thank you for watching this entire video.

We have a video course for you called Master Ethical Hacking in 2019 on Uthena that we imagine given you’ve watched all of this, you might really love and enjoy the complete course.

If you’d like to get the complete course, which includes answers to your questions and it includes lifetime updates and new videos, will you please go to uthena.com and buy Master Ethical Hacking in 2019.

Alternatively, you might love the Ethical Hacking Forever course bundle where you can get six courses currently in this bundle plus every single course we add for life and no additional cost.

I intend to add at least 20 more Ethical Hacking courses to this bundle to make it the very best Ethical Hacking course bundle in the world. I already think it is today, of course, because it’s mine.

Thank you for being here and watching this. I trust if you found this helpful you will leave a like on the video and subscribe to see more. Maybe you’ll take a look in the description where you might find some links that you will love.

I love you.

You’re awesome.

Thanks for being here with me and I will see you again soon on another video on our Jerry Banfield YouTube channel.

Leave a Like on the Video?

Yes. You reached all the way to the end. Will you leave a like to let us know, you made it this far in the video, because you will feel great helping the video rank higher and giving something back.

Love,

Jerry Banfield.