Home > Network Pentesting

Firewall Evasion Techniques

Firewall evasion techniques help pentesters bypass filtering rules, avoid detection, and reach services that are otherwise hidden. Firewalls inspect packets, block unauthorized traffic, and limit scanning attempts. To perform full enumeration, pentesters must understand how firewalls behave and how to craft traffic that slips past filtering rules. These techniques must always follow scope and legal permissions.

Understanding Firewall Behavior

Firewalls filter traffic based on:

  • Source and destination IP

  • Source and destination port

  • Protocol type

  • Connection state

  • Packet flags

  • Application signatures

Firewalls may block certain scans, drop packets silently, or allow only specific protocols. Evasion techniques work by sending packets that bypass or confuse these rules.

Fragmentation Techniques

Fragmentation breaks packets into smaller segments so firewalls have difficulty inspecting them fully.

Basic Fragment Scan

nmap -f 10.10.10.5

This splits packets, making simple filters less effective.

Custom Fragment Size

nmap -f --mtu 32 10.10.10.5

Using different MTU values helps evade pattern-based inspection.

Fragmentation works because many firewalls struggle with reassembling fragmented traffic for inspection.

Decoy Techniques

Decoy techniques send traffic from multiple fake IPs. This hides the attacker’s real source.

Decoy Scan

nmap -D RND:10 10.10.10.5

This inserts ten random decoy IPs alongside the real one.

Custom Decoy List

nmap -D 192.168.1.10,192.168.1.11,ME 10.10.10.5

“ME” marks the attacker’s real IP among decoys.

Decoys confuse logging systems and make identification difficult.

Spoofing Techniques

Spoofing modifies source information to bypass IP-based filters.

Spoof MAC Address

nmap --spoof-mac 00:11:22:33:44:55 10.10.10.5

This helps bypass MAC-based controls on internal networks.

Spoofing Source IP

Used only when reply packets are not required.
Often combined with idle scans.

Idle (Zombie) Scanning

Idle scans hide the attacker’s IP completely by using an idle “zombie” host.

nmap -sI 10.10.10.100 10.10.10.5

The firewall sees only the zombie’s IP.
This works well on poorly monitored networks.

Timing & Rate Adjustments

Firewalls detect scans by looking for unusual patterns or high-rate traffic. Adjusting timing helps avoid detection.

Stealth Timing

nmap -T1 10.10.10.5

Slow timing avoids packet bursts.

Randomized Timing

nmap --scan-delay 200ms 10.10.10.5

Random delays bypass threshold-based detection.

Aggressive Timing (When Needed)

nmap -T5 10.10.10.5

Used for large networks without strict monitoring.

Non-Standard Flags

Firewalls expect normal TCP flags. Sending unusual flag combinations can bypass simple rules.

FIN Scan

nmap -sF 10.10.10.5

XMAS Scan

nmap -sX 10.10.10.5

NULL Scan

nmap -sN 10.10.10.5

These scans detect open ports without using SYN packets, often bypassing basic filters.

Port-Based Evasion

Some firewalls behave differently with specific ports.

Scanning Common Allowed Ports

nmap -PS443 -p 443 10.10.10.5

Using ports like 53, 80, or 443 may bypass filtering.

Source Port Manipulation

nmap --source-port 53 10.10.10.5

Some firewalls trust DNS traffic and allow it through.

Using Encrypted Tunnels

Encrypted traffic hides scan signatures from firewalls.

Proxychains Example

proxychains nmap -sT 10.10.10.5

This routes scans through proxies, hiding origin and behavior.

VPN Tunneling

Routing scans through a VPN bypasses perimeter firewalls and changes inspection points.

Bypassing Application Firewalls

Application firewalls inspect HTTP, DNS, or SMTP traffic. Evasion techniques include:

  • Modifying headers

  • Changing request order

  • Using uncommon encodings

  • Fragmenting HTTP requests

  • Sending partial requests

These tricks make it harder for application firewalls to detect scanning patterns.

Combining Evasion Techniques

The strongest firewall evasion comes from combining methods:

  • Fragmentation + decoys

  • MAC spoofing + timing adjustments

  • SYN scans + source port manipulation

  • Encrypted tunnels + proxy routes

Using multiple layers of evasion increases success in restricted environments.

Why Firewall Evasion Matters

Firewalls control what pentesters can see and reach. Evasion techniques uncover hidden services, test segmentation, and reveal misconfigured rules. Without evasion, scans may miss key systems or produce inaccurate results.

Intel Dump

  • Firewalls filter by IP, port, protocol, and session state

  • Fragmentation, decoys, spoofing, and timing help bypass filters

  • FIN, NULL, and XMAS scans avoid SYN-based detection

  • Source port manipulation leverages trusted ports

  • Encrypted tunnels and proxies bypass inspection

  • Combining methods reveals hidden services behind firewalls

HOME COMMUNITY CAREERS DASHBOARD