Firewall evasion, stealth scans

Evasion

ACK scan. Used just to identify online hosts.

nmap -sA 10.11.1.1/24

Fragment packets(supports just -sT scan, not -sV nor -O)

nmap -f -sT 10.11.1.133
nmap --mtu <8,16,24,32> 10.11.1.133

Source port scan
try common ports: 20,21,22,53,67,110,80,88,443,139,445,161,3389

nmap --source-port <port> 10.11.1.133

Custom packet length

nmap --data-length 25 10.11.1.133

Sending badsums packets

nmap --badsum 10.11.1.133

Stealth

Decoy addresses
Decoy IPs must be online

nmap -D RND:10 10.11.1.133
nmap -D decoy1,decoy2... 10.11.1.133

Zombie scan (stealth/evasion)

find zombies(find incremental IPID responses)
use auxiliary/scanner/ip/ipidseq
nmap -sI <zombie> 10.11.1.133

MAC address spoofing (stealth/evasion)

Specify MAC address from a Vendor
--spoof-mac Dell/Apple/3Com

Generate a random MAC address
--spoof-mac 0

Specify your own MAC address-
--spoof-mac 00:01:02:25:56:AE

nmap -sT -Pn --spoof-mac 0 10.11.1.133