Nmap Firewall / IDS / IPS Evasion Techniques
Use LLMs in combination with these techniques to further enhance the evasion.
1. Packet Fragmentation
Goal: Break signatures that expect full packets.
nmap -f 192.168.1.10
nmap --mtu 24 192.168.1.10
Some firewalls/IDS don’t properly reassemble fragments
Signature-based detection may miss payloads split across packets
Modern IDS/IPS usually reassemble fragments correctly
2. Decoy Scanning
Goal: Obscure the real scanner’s IP.
nmap -D 10.0.0.5,10.0.0.6,ME 192.168.1.10
Target sees multiple source IPs
Makes attribution harder in logs
IDS may fingerprint timing, TTL, or TCP behavior differences
3. Source IP Spoofing
Goal: Hide origin (mostly theoretical).
❌ Does NOT work for TCP connect scans
Responses go to the spoofed IP
Useful only in limited scenarios (stateless scans, research)
4. Source Port Manipulation
Goal: Bypass naive firewall rules.
Firewalls often allow traffic from DNS (53) or HTTPS (443)
Modern firewalls inspect state, not just ports
5. Interface Selection
Goal: Control routing / VLAN behavior.
VPN vs local interface testing
6. Proxy Chaining
Goal: Hide scanning origin (TCP only).
Works only with TCP connect scans
Easy to fingerprint as proxied traffic
7. Custom Payload Injection
Goal: Evade static signatures.
Changes packet fingerprints
Can bypass payload-based IDS rules
Goal: Trigger edge-case handling.
Mostly useful for detection testing, not evasion
9. TTL Manipulation
Goal: Evade inline IPS or map network position.
Identify hop-count differences
10. MAC Address Spoofing
Goal: Evade local network controls.
MAC-based ACLs (weak security)
11. Bad Checksum Packets
Goal: Test IDS vs firewall handling.
Firewall drops the packet
Detect IDS positioned behind a firewall
Typical Real-World Combos (Theory Level)
⚠️ Common in exams and labs, not reliable real-world bypasses
