nmap -f -D RND:10 -Pn target.com Fragmented packets slip past simple firewall reassembly rules. Decoy IPs muddy the source.
Alex notices port 443 allows ICMP tunneling (misconfigured firewall rule allowing ICMP echo replies). Uses ptunnel to encapsulate TCP over ICMP. Firewall sees ping packets – no alert. 2. IDS/IPS Evasion – The Web App Gateway Inside the DMZ, an IDS sniffs traffic. Alex’s ICMP tunnel reaches a vulnerable web server. A simple curl request for /cgi-bin/test.cgi?cmd=ls triggers a signature (known attack pattern).
The IDS sees base64 data but doesn't decode context. Alex finds an open SMB share named HR_Confidential . Too easy. A glance at file metadata shows creation time = 2 AM (odd). Also, the server responds with Server: Honeyd 1.5c (a telltale).
Alex uses fragmentation and decoy scans :
Alex, ethical hacker. 1. Firewall Evasion – The First Glance Alex scans the external perimeter. A classic nmap -sS triggers port 80 (HTTP) and 443 (HTTPS) only. Firewall is stateful—drops unsolicited SYN packets to other ports.
But the firewall logs spikes. Alex pivots: .
nmap -sV --script=honeypot-detection target Confirmed: it’s a (SSH).
nmap -f -D RND:10 -Pn target.com Fragmented packets slip past simple firewall reassembly rules. Decoy IPs muddy the source.
Alex notices port 443 allows ICMP tunneling (misconfigured firewall rule allowing ICMP echo replies). Uses ptunnel to encapsulate TCP over ICMP. Firewall sees ping packets – no alert. 2. IDS/IPS Evasion – The Web App Gateway Inside the DMZ, an IDS sniffs traffic. Alex’s ICMP tunnel reaches a vulnerable web server. A simple curl request for /cgi-bin/test.cgi?cmd=ls triggers a signature (known attack pattern). nmap -f -D RND:10 -Pn target
The IDS sees base64 data but doesn't decode context. Alex finds an open SMB share named HR_Confidential . Too easy. A glance at file metadata shows creation time = 2 AM (odd). Also, the server responds with Server: Honeyd 1.5c (a telltale). Uses ptunnel to encapsulate TCP over ICMP
Alex uses fragmentation and decoy scans : IDS/IPS Evasion – The Web App Gateway Inside
Alex, ethical hacker. 1. Firewall Evasion – The First Glance Alex scans the external perimeter. A classic nmap -sS triggers port 80 (HTTP) and 443 (HTTPS) only. Firewall is stateful—drops unsolicited SYN packets to other ports.
But the firewall logs spikes. Alex pivots: .
nmap -sV --script=honeypot-detection target Confirmed: it’s a (SSH).