Evading Detection

Firewalls are designed to detect and block suspicious scans. Ethical hackers must employ evasion techniques to get their packets through.

Common Evasion Tactics

1. Decoy Scanning (-D): (Covered in Lesson 70) Hides the attacker's true origin among many spoofed source IPs.
2. Source Port Manipulation (--source-port): Many older firewalls trust traffic originating from specific high-privilege ports (like port 53 DNS or port 20 FTP data). Sending scan packets that appear to originate from these trusted ports can sometimes bypass filtering.
3. Idle Scan (-sI): A highly advanced, complex scan that uses a third-party 'zombie' host to bounce packets off of. The target sees the scan coming from the zombie, not the attacker.
   • Note: Hard to perform successfully and requires finding a specific type of suitable zombie host.
4. Packet Fragmentation (-f): Breaking the TCP header across multiple packets so simple filters cannot identify the port flag easily.