The TCP SYN scan is the original stealth scan. Because the attacker does not complete the TCP three-way handshake, the connection attempt is less likely to be logged. Here is an Nmap stealth scan example:

nmap -sS 192.167.1.50

Today, any good IDS will recognize this type of scan. Nmap has other ways to be stealthy. The following table summarizes common evasion methods used by Nmap.

Stealth Option

Example

Description

-sS

nmap -sS 192.168.1.50

The original "stealth" scan. Send a TCP SYN. If the target responds with a SYN ACK, do not complete the handshake, but instead send a RST. This is less likely to be logged by the target.

-sA

nmap -sA 192.168.1.0/24

Send a TCP ACK. Used to map out firewall rulesets, determine which ports are filtered, and if a firewall is stateful or not.

-sN

nmap -sN 192.168.1.2-10

Send a TCP segment with no flags raised. This is not the normal state for TCP, which always has at least one flag (usually ACK) raised. Used to sneak through a non-stateful firewall.

-sF

nmap -sF www.company.tld

Send a TCP FIN. Used to sneak through a non-stateful firewall.

-sX

nmap -sX 192.168.1.0/24

Send a TCP segment with FIN, PSH, and URG flags raised, thus lighting up the packet "like a Christmas tree." This is an illogical combination. Used to sneak through a non-stateful firewall.

-Pn

nmap -Pn -p- 192.168.1.0/24

Skip discovery. Assume all hosts are online for port scan. Useful if targets have their firewall up and only offer services on unusual ports.

-sI <zombie> <target>

nmap -sI -Pn -p- zombie.middle.tld www.company.tld

Conduct a blind TCP port scan (idle scan). No packets are sent directly from your attacker machine to the target. Uses a "zombie" (middle man) host to obtain information about open ports on the target. You have to spend some time identifying a machine that can act as a zombie. Once you locate a good zombie, you can reuse it for more scans.

-b <FTP relay> <FTP target>

nmap -v -b name:password@old-ftp-server.company.tld ftp-target-server.company.tld -Pn

Conduct an FTP bounce scan. Exploit FTP proxy connections in which a user asks a "middle man" FTP server to send files to another FTP server. Because of widespread abuse, the FTP relay feature has been disabled by most vendors.

-T <0 - 5>

nmap 192.168.1.0/24 -T 2

Use different timing templates to throttle the speed of your queries to make the scan less noticeable. Choose from T0 (slowest) to T5 (fastest). Nmap also refers to these speeds as paranoid, sneaky, polite, normal, aggressive, and insane, respectively. T0 and T1 are best for IDS evasion, but are VERY slow. T5 has been reported to be unstable because it is too fast. T4 is the recommended choice for a fast scan that is still stable. T3 is the default.

-f

nmap -f 192.168.1.50

Split packets (including pings) into 8-byte fragments to make it harder for packet filtering firewalls and intrusion detection to detect the purpose of packets. MTU is the maximum fragment size.

-D [decoy1, decoy2, decoy3, etc.] <target>

nmap -D 192.168.1.10 192.168.1.15 192.168.1.30 192.138.1.50

Used to mask a port scan by using decoys. Creates bogus packets "from" the decoys so the actual attacker "blends in" with the crowd. It looks like both the decoys and the actual attackers are performing attacks. In this example, 192.168.1.50 is the target. The other IPs are the decoys.

-e <interface>

nmap -e eth0 192.168.1.50

Specify the interface Nmap should use.

-S <spoofed source address>

nmap -e eth0 -S www.google.com 192.168.1.50

Spoofs the source address. Might not return results since the target will try to respond to the fake address. Can be used to confuse IDS or target administrator. Often used with -e or -Pn. May throw binding errors. Spoofed attack should be validated by Wireshark capture on the target. This example makes it appear to target 192.168.1.50 that www.google.com is trying to scan it.

--spoof-mac [vendor type | MAC address]

  • nmap -sT -PN --spoof-mac apple 192.168.1.50
  • nmap -sT -PN --spoof-mac B7:B1:F9:BC:D4:56 192.168.1.50

Use a bogus source hardware address (also known as Media Access Control or MAC address). You can specify a random MAC based on vendor, or explicitly specify the MAC address. The first example creates a random Apple hardware address.

Note: Do not mistake "MAC" for Macintosh.

--source-port <portnumber>

nmap --source-port 53 192.168.1.36

Use a specific source port number (spoof source port) to fool packet filters configured to trust that port. Same as -g <portnumber> option.

--randomize-hosts

nmap --randomize-hosts 192.168.1.1-100

Randomize the order of the hosts being scanned.

--proxies <proxy:port, proxy:port...>

nmap --proxies http://192.168.1.30:8080,http://192.168.1.90:8008 192.168.1.50

Relay TCP connections through a chain of HTTP or SOCKS4 proxies. Especially useful on the Internet. This example conducts an Nmap scan against target 192.168.1.50 through two proxies, 192.168.1.30 and 192.168.1.90.