{"id":13842208,"url":"https://github.com/al0ne/Nmap_Bypass_IDS","last_synced_at":"2025-07-11T14:31:16.666Z","repository":{"id":125346745,"uuid":"162666494","full_name":"al0ne/Nmap_Bypass_IDS","owner":"al0ne","description":"Nmap\u0026Zmap特征识别，绕过IDS探测","archived":false,"fork":false,"pushed_at":"2019-08-01T02:53:31.000Z","size":5,"stargazers_count":326,"open_issues_count":0,"forks_count":60,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-08-05T17:30:53.948Z","etag":null,"topics":["bypass","nmap","suricata","zmap"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/al0ne.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-12-21T04:40:18.000Z","updated_at":"2024-07-26T06:07:44.000Z","dependencies_parsed_at":null,"dependency_job_id":"6b25021b-bdde-4589-9831-866ee54b2dee","html_url":"https://github.com/al0ne/Nmap_Bypass_IDS","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2FNmap_Bypass_IDS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2FNmap_Bypass_IDS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2FNmap_Bypass_IDS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2FNmap_Bypass_IDS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/al0ne","download_url":"https://codeload.github.com/al0ne/Nmap_Bypass_IDS/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225729900,"owners_count":17515186,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","nmap","suricata","zmap"],"created_at":"2024-08-04T17:01:29.447Z","updated_at":"2024-11-21T12:31:02.140Z","avatar_url":"https://github.com/al0ne.png","language":null,"readme":"# Nmap_Bypass_IDS\n\n扫描参数：nmap -sS -sV -O -vv 1.1.1.1\n\n### nmap 系统识别绕过ids检测\n\nnmap使用-O参数扫描时会发送tcp，udp，icmp 然后在根据响应的tcp window，TTL，IPID等对比指纹库识别操作系统，IDS识别nmap扫描一般都是根据UDP data区域填充的'C'字符串,ICMP填充的是0（正常windows下是a-z，Linux下是0-9）\n\nalert udp $EXTERNAL_NET 10000: -\u003e $HOME_NET 10000: (msg:\"ET SCAN NMAP OS Detection Probe\"; dsize:300; content:\"CCCCCCCCCCCCCCCCCCCC\"; fast_pattern:only; content:\"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\"; depth:255; content:\"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\"; within:45; classtype:attempted-recon; sid:2018489; rev:3; metadata:created_at 2014_05_20, updated_at 2014_05_20;)\n\nhttps://raw.githubusercontent.com/nmap/nmap/master/osscan2.cc\n\nstatic u8 patternbyte = 0x43; /* character 'C' */ 替换为  static u8 patternbyte = 0x46; /* character 'F' */\n\n### nmap UA 修改\n\nalert http $EXTERNAL_NET any -\u003e $HOME_NET any (msg:\"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)\"; flow:to_server,established; content:\"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine\"; nocase; http_user_agent; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)\n\n修改nselib/http.lua\n\nUSER_AGENT = stdnse.get_script_args('http.useragent') or \"Mozilla/5.0 (compatible; )\"\n\n### TCP window 修改tcp window 窗口大小\n\nnmap 默认扫描的tcp window size 大小是1024，将其修改为10240来绕过ids\n\nalert tcp $EXTERNAL_NET any -\u003e $HOME_NET any (msg:\"ET SCAN NMAP -sS window 1024\"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)\n\ntcpip.cc:729:    tcp-\u003eth_win = htons(1024); /* Who cares */\n\n if (window)\n \n    tcp-\u003eth_win = htons(10240); /* Who cares */\n\n### 修改nmap-service-probes\n\nalert tcp $EXTERNAL_NET any -\u003e $HOME_NET $HTTP_PORTS (msg:\"ET SCAN NMAP SIP Version Detect OPTIONS Scan\"; flow:established,to_server; content:\"OPTIONS sip|3A|nm SIP/\"; depth:19; classtype:attempted-recon; sid:2018317; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)\n\n-Probe TCP SIPOptions q|OPTIONS sip:nm SIP/2.0\\r\\nVia: SIP/2.0/TCP nm;branch=foo\\r\\nFrom: \u003csip:nm@nm\u003e;tag=root\\r\\nTo: \u003csip:nm2@nm2\u003e\\r\\nCall-ID: 50000\\r\\nCSeq: 42 OPTIONS\\r\\nMax-Forwards: 70\\r\\nContent-Length: 0\\r\\nContact: \u003csip:nm@nm\u003e\\r\\nAccept: application/sdp\\r\\n\\r\\n|\n\n去掉OPTIONS sip\n\n### 修改3389 cookie\n\nnmap-service-probes  \nProbe TCP TerminalServerCookie q|\\x03\\0\\0*%\\xe0\\0\\0\\0\\0\\0Cookie: mstshash=nmap\\r\\n\\x01\\0\\x08\\0\\x03\\0\\0\\0|  \nnselib/rdp.lua  \nlocal cookie = \"mstshash=nmap\"  \n\n### Zmap识别\n很多网络扫描器会使用固定的tcp window或者ipid，这些都可以作为特征识别的一部分。  \n例如在使用zmap扫描时，通过抓包分析发现zmap使用了固定的IPID 54321以及固定的window值 65535，那么我可以写一个IDS规则来检测它  \n```\nalert tcp any any -\u003e any any (msg:\"Detect ZMAP scan\"; dsize:0; flags:S; window:65535; id:54321; threshold: type both, track by_src, count 60, seconds 60; sid:19010201; rev:1; metadata:created_at 2019_01_02, by al0ne;)\n```\n\nalert 是记录告警日志， tcp $EXTERNAL_NET any -\u003e $HOME_NET any 这些对应着协议 源ip 源端口 方向 目标ip 目标端口，这里是匹配任意ip和任意端口，\ndsize代表tcp data区大小扫描时没有附加其他数据所以为0，flags:S 是指tcp的flags为s即三次握手时syn请求，并且计算阀值60秒内出现60才告警 \n\n修改绕过  \nsrc/probe_modules/packet.c  \n```\ntcp_header-\u003eth_win = htons(65535);\niph-\u003eip_id = htons(54321);\n```\n","funding_links":[],"categories":["Others","Others (1002)"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fal0ne%2FNmap_Bypass_IDS","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fal0ne%2FNmap_Bypass_IDS","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fal0ne%2FNmap_Bypass_IDS/lists"}