Listen to this Post

Introduction:
Port scanning is the cornerstone of reconnaissance in penetration testing, yet traditional scans trigger intrusion detection systems (IDS) and web application firewalls (WAF) almost instantly. Adversaries and ethical hackers alike now employ advanced evasion methods—such as decoy scans, fragmented packets, and zombie-based idle scans—to map network topologies without raising alarms. This article dissects five stealth scanning techniques, provides verified commands for Linux and Windows, and explains how defenders can detect and mitigate these tactics using cloud hardening and AI-driven analytics.
Learning Objectives:
- Execute decoy and idle (zombie) scans to obfuscate the source of reconnaissance traffic.
- Configure fragmented packets and custom MTU values to bypass signature-based detection.
- Implement Windows PowerShell and netsh commands for passive network mapping.
- Apply cloud security group rules and AI-based anomaly detection to block stealth scanning attempts.
You Should Know:
- Evading Firewalls with Decoy Scans and Proxy Chains
Decoy scanning (nmap -D) masks your real IP address by generating multiple fake source IPs, overwhelming simple log analysis. For advanced anonymity, chain proxies using Proxychains. Below is an extended explanation of what this accomplishes: It distributes probe packets across decoys, so defenders see many hosts scanning simultaneously, making it hard to isolate the true attacker.
Step‑by‑step guide – Decoy scan on Linux:
- Identify target (e.g., 192.168.1.10) and choose decoy IPs (e.g., 10.0.0.5, 172.16.0.2).
- Run: `nmap -D 10.0.0.5,172.16.0.2,RND:5,ME -Pn -sS -p 80,443 192.168.1.10`
– `RND:5` generates five random decoys; `ME` places your real IP among them. - Verify evasion: Check target’s firewall logs – they will list multiple source IPs.
- For proxy chaining: Edit `/etc/proxychains4.conf` with `socks4 127.0.0.1 9050` (Tor). Then run: `proxychains nmap -sT -Pn -p 22 192.168.1.10`
Windows alternative: Use PowerSploit’s `Invoke-Nmap` with decoy parameter after importing:
Invoke-Nmap -ScanType "-sS" -Decoy "10.0.0.5,172.16.0.2" -Target 192.168.1.10. Requires prior installation of Nmap for Windows.
- TCP Idle Scan (Zombie Scan) – Exploiting IPID Sequences
The idle scan leverages a “zombie” host with a predictable IPID (incremental) to infer open ports without sending packets directly from your machine. This technique is stealthy because the target sees only the zombie’s IP. If the zombie is a lightly used Windows machine (which often uses global IPID), it works perfectly.
Step‑by‑step guide – Performing idle scan with Nmap:
- Find a zombie candidate: `nmap -p 445 –script ipidseq
` – look for “Incremental” IPID. - Execute idle scan: `nmap -Pn -sI
-p 1-100`
– Interpret results: Open port → IPID increase by 2; closed port → increase by 1. - For Windows zombies (Server 2003/XP), test with `nping –tcp -p 445 –flags syn -c 1 -g 80
` to verify IPID behavior.
Mitigation: Use random IPID generation (Linux’s `net.ipv4.ip_no_pmtu_disc` or Windows registry HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\RandomizeIPID=1).
- Packet Fragmentation and MTU Tricks to Bypass IDS/IPS
Fragmentation splits scan probes into tiny IP fragments (e.g., 8-byte header + small payload), causing many IDS signature engines to miss the reassembled malicious intent. Nmap’s `-f` flag creates 8-byte fragments; `–mtu` allows custom sizes.
Step‑by‑step guide – Fragmentation on Linux:
- Basic fragmentation: `nmap -f -sS -p 80,443 192.168.1.10` (splits TCP header across two fragments).
- Custom MTU (must be multiple of 8): `nmap –mtu 16 -Pn -sS -p 1-1000 192.168.1.10`
– Combine with decoy: `nmap -f -D 10.0.0.5,ME –mtu 24 -sS -p 8080 192.168.1.10`
– Test against Snort: Run Snort in rule-test mode: `snort -c /etc/snort/snort.conf -r capture.pcap` – fragmented scans often produce fewer alerts.
Windows command: Use `nmap –mtu 32 -sS -f` from PowerShell with admin rights. For native Windows, `netsh advfirewall set global StatefulFTP disable` can reduce fragment inspection (but not recommended).
4. Windows Native Reconnaissance Without Third-Party Tools
Windows offers built-in networking utilities that mimic low-and-slow scanning, often overlooked by EDR solutions. Use PowerShell for TCP connect scans and ARP discovery.
Step‑by‑step guide – Windows stealth recon:
- Passive ARP scan (no active probes): `Get-NetNeighbor -AddressFamily IPv4 | Select-Object IPAddress,LinkLayerAddress,State`
– TCP connect scan with random delays:1..1024 | ForEach-Object { $port=$_; $client=New-Object System.Net.Sockets.TcpClient; $connect=$client.BeginConnect("192.168.1.10",$port,$null,$null); Start-Sleep -Milliseconds (Get-Random -Min 100 -Max 500); if($client.Connected){Write-Host "Port $port open"}; $client.Close() } - Use `Test-NetConnection` with `-Port` and `-InformationLevel Quiet` to avoid verbose logs.
- Schedule scan during peak hours using `schtasks /create /tn “Recon” /tr “powershell.exe -File C:\scan.ps1” /sc daily /st 14:00`
Linux equivalent for cross-platform: Use `hping3 –scan 1-1000 -S 192.168.1.10 -i u1000` (1ms interval) or
masscan --rate=100 --wait 0 -p1-1000 192.168.1.10/24.
5. Cloud Hardening Against Stealth Scanning (AWS/Azure/GCP)
Cloud environments are prime targets. Implement these mitigations to block decoy, idle, and fragmented scans.
Step‑by‑step guide – AWS Security Groups & WAF:
- Create security group rule to drop invalid fragments: In VPC console, add custom ICMP rule type 3 (fragmentation needed) but more effectively use Network ACLs with `deny` for fragmented packets (port range 0-65535, protocol 0, fragment flag = True).
- Enable AWS Network Firewall’s “Stateless fragment reassembly” and “Strict” ordering.
- Deploy AWS WAF rate-based rule: `RateLimit=100` per 5 minutes against `/0` to slow decoy floods.
- Use GuardDuty with anomaly detection – monitor for `Recon:EC2/PortScan` and
Recon:EC2/IdleScan.
Azure commands (Azure CLI):
`az network nsg rule create –nsg-name MyNSG –name DenyFragments –priority 100 –direction Inbound –access Deny –protocol “” –source-address-prefixes “0.0.0.0/0” –destination-port-ranges “” –fragments “IsFragment”`
Linux host hardening: Enable `iptables` to log fragmented packets:
`iptables -A INPUT -f -j LOG –log-prefix “FRAGMENTED_SCAN: “` then drop: `iptables -A INPUT -f -j DROP`
Windows host hardening:
`netsh advfirewall firewall add rule name=”BlockFragments” dir=in action=block protocol=any remoteport=any edge=yes`
6. AI-Powered Detection of Stealth Scans
Traditional signatures fail against polymorphic scanning. AI models trained on flow data (NetFlow/IPFIX) can detect low-and-slow or decoy patterns. Implement open-source Zeek with machine learning.
Step‑by‑step guide – Deploy Zeek + AI analyzer:
- Install Zeek (Linux):
apt install zeek; configure `node.cfg` for live capture. - Enable `scan.zeek` script: `@load scan` in
local.zeek. - Export Zeek logs to CSV: `zeek-cut -d < conn.log > scans.csv`
– Use Python with Isolation Forest (scikit-learn) to flag anomalies:import pandas as pd from sklearn.ensemble import IsolationForest df = pd.read_csv('scans.csv', usecols=['id.resp_p','duration','orig_bytes','resp_bytes']) model = IsolationForest(contamination=0.01) df['anomaly'] = model.fit_predict(df) anomalies = df[df['anomaly']==-1] print("Potential stealth scans:", anomalies['id.resp_p'].value_counts()) - Integrate with SIEM (Splunk/ELK) for real-time alerting.
What Undercode Say:
- Stealth scanning techniques like idle and decoy scans remain highly effective against default IDS configurations, but modern cloud security groups and AI-driven flow analysis can neutralize them.
- Linux and Windows both offer built-in methods for both offense (PowerShell raw sockets) and defense (netsh fragment blocking); the asymmetry lies in logging granularity.
- Prediction: By 2027, AI-based behavioral detection will render traditional IP-fragmentation evasion obsolete, forcing attackers to shift to encrypted covert channels (e.g., DNS tunneling) and side-channel timing attacks.
Prediction:
The cat-and-mouse game will accelerate: as AI defense models learn scanning fingerprints in milliseconds, red teams will adopt generative AI to craft one‑shot, never‑seen‑before scan patterns. Cloud providers will embed real‑time anomaly scoring directly into their network fabrics, automatically throttling any source exhibiting decoy or idle scan characteristics. Organizations that fail to implement fragment inspection and random IPID randomization will continue to leak internal network maps to silent adversaries. The future of port scanning is not stealthier packets—it’s algorithmic warfare between AI agents.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Infosec Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


