Fragmentation Scans (`-f`, `--mtu`) with Nmap

This article provides an in-depth look into Nmap’s fragmentation scan options, how they work, and their practical applications in penetration testing and network reconnaissance.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Network security professionals, penetration testers, and ethical hackers frequently use Nmap (Network Mapper) to discover hosts and services on a network. Among its various scanning techniques, fragmentation scans stand out as a method to evade intrusion detection and firewall defenses. This article provides an in-depth look into Nmap’s fragmentation scan options (-f, --mtu), how they work, and their practical applications in penetration testing and network reconnaissance.

What is a Fragmentation Scan?

A fragmentation scan in Nmap is a technique that breaks TCP packets into smaller fragments before sending them to the target. This approach can bypass some firewalls, IDS (Intrusion Detection Systems), and IPS (Intrusion Prevention Systems) that do not properly reassemble fragmented packets before inspecting them.

By default, most scanning methods in Nmap send standard-sized packets. When fragmentation is enabled, the tool splits these packets into smaller chunks, which makes it harder for security devices to detect and block the traffic.

Why Use Fragmentation in Scanning?

Fragmentation scanning is useful for:

  • Bypassing Firewalls and IDS/IPS: Some security systems may fail to reassemble fragmented packets before analysis, allowing probes to slip through undetected.
  • Evading Packet-based Filters: Firewalls that inspect packets based on specific signatures may struggle to analyze fragmented packets.
  • Reducing Scan Detection: Network administrators monitoring for port scans might miss fragmented packets as they do not always trigger standard detection rules.

How to Perform Fragmentation Scans in Nmap

Nmap provides two primary fragmentation-related options:

1. -f (Fragment Packets)

The -f option instructs Nmap to split packets into tiny fragments (usually 8-byte packets) before sending them.

Example Command:

nmap -f <target>

This command will scan the target with fragmented packets, potentially allowing it to bypass simple security mechanisms.

2. --mtu <value> (Set Maximum Transmission Unit)

The --mtu option allows you to specify a custom fragment size instead of the default 8-byte chunks.

Example Command:

nmap --mtu 16 <target>

This command sets the maximum transmission unit (MTU) to 16 bytes, meaning Nmap will fragment packets accordingly.

Combining Fragmentation with Other Scan Types

Fragmentation scanning can be combined with other Nmap options for stealthier reconnaissance:

SYN Scan with Fragmentation

A SYN scan (-sS) with packet fragmentation:

nmap -sS -f <target>

This sends fragmented TCP SYN packets, helping avoid detection by some security tools.

OS Detection with Fragmentation

You can combine fragmentation with OS detection (-O) for stealthy fingerprinting:

nmap -O -f <target>

This technique helps in identifying the OS of a target while reducing the risk of detection.

Fragmented Service Version Detection

Using -sV along with fragmentation helps obscure version probing attempts:

nmap -sV -f <target>

This command scans for open ports and services while evading some filtering mechanisms.

Limitations and Risks of Fragmentation Scanning

While fragmentation scanning is effective, it has limitations and risks:

  1. Not Always Effective – Some advanced firewalls and IDS solutions are designed to reassemble fragmented packets before analysis, neutralizing the benefits of fragmentation.
  2. Slower Scan Performance – Fragmenting packets increases latency as each packet must be reassembled on the receiving end before processing.
  3. Detection by Advanced Security Systems – Some network monitoring tools and intrusion detection systems (like Snort, Suricata, or Zeek) specifically look for fragmented scanning attempts.
  4. Potential for Scan Failure – If packets are fragmented excessively (with a very low MTU), they might be dropped or improperly reassembled, leading to incomplete scan results.

Defenses Against Fragmentation Scans

To counteract fragmentation-based evasion techniques, security administrators can take the following measures:

  • Enable IDS/IPS Fragmentation Reassembly: Security appliances should be configured to reassemble fragmented packets before analysis.
  • Set Firewall Rules to Detect Unusually Small Packets: Many firewalls allow blocking of packets below a certain size.
  • Monitor for Unusual Network Traffic Patterns: Tools like Suricata, Zeek, or Snort can flag fragmented packet sequences.
  • Use Active Defense Mechanisms: Deploying honeypots or network deception tools can help detect and respond to suspicious fragmentation scans.

Real-World Applications of Fragmentation Scans

1. Penetration Testing

Ethical hackers use fragmentation scans to test how well a network’s firewall and IDS handle fragmented traffic.

2. Red Team Operations

Adversary simulation teams use fragmentation scanning to perform stealthy reconnaissance before executing an attack.

3. Network Security Audits

Security analysts use fragmentation scanning to identify weaknesses in firewall configurations and IDS setups.

Conclusion

Fragmentation scanning with Nmap (-f and --mtu) is a valuable technique for bypassing firewalls and intrusion detection systems during penetration testing and security audits. While effective in some cases, modern security defenses have evolved to detect and mitigate these tactics. Ethical hackers and security professionals should use fragmentation scans responsibly and in compliance with legal and ethical guidelines.

Understanding how fragmentation scans work helps security teams both offensively (for testing) and defensively (for securing networks). By implementing proper detection mechanisms and monitoring, organizations can protect their networks against these evasion techniques.


< Bypassing OS Detection LimitationsCoconut Scan with Nmap >