Manually Modifying Scan Packets with Nmap

Learn how to manually modify scan packets with Nmap, a powerful tool for network discovery and security auditing.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

Nmap (Network Mapper) is widely recognized as one of the most powerful open-source tools for network discovery and security auditing. While many users are familiar with Nmap’s standard options—like scanning a target for open ports, running OS detection, or performing service enumeration—fewer delve into its capabilities for manual packet crafting. Yet, this lesser-known feature gives experienced users unparalleled control over how packets are sent and received, making it an invaluable technique for advanced reconnaissance, firewall evasion, and network behavior testing.

In this article, we’ll explore what it means to manually modify scan packets with Nmap, why you might want to do it, the available options, and practical scenarios for leveraging these features.

Why Modify Packets Manually?

In most typical use cases, Nmap chooses packet parameters like IP TTL (Time to Live), source port, TCP flags, and window size for you. These defaults work well for general scans, but in some scenarios, you might need finer control:

  • Evading detection systems (e.g., intrusion detection/prevention systems or firewalls).
  • Testing firewall rules or packet filtering behavior.
  • Fingerprinting obscure or custom network stacks.
  • Masquerading traffic to appear like a specific operating system or tool.
  • Debugging and learning how different systems react to different packet configurations.

Nmap Packet Structure Overview

Before diving into modification, it’s useful to understand the basic structure of the packets that Nmap sends. Depending on the scan type (e.g., SYN, ACK, UDP), packets can include the following layers:

  • IP Layer: Contains the source/destination IP address, TTL, and protocol.
  • Transport Layer: TCP/UDP headers with source/destination ports, sequence numbers, flags (SYN, ACK, RST, etc.), and window size.
  • Application Layer (Optional): Includes data payloads for protocols like DNS, HTTP, SMB, etc.

Nmap allows you to tweak many of these layers using command-line flags, offering a way to create “custom” scan traffic.

Key Nmap Options for Packet Modification

Let’s take a closer look at the main options that Nmap provides for modifying scan packets manually.

1. --data-length <num>

This option lets you append random data to the end of probe packets, increasing their size.

nmap --data-length 50 192.168.1.1

Useful for:

  • Evading basic intrusion detection that expects standard packet sizes.
  • Observing MTU handling or fragmentation behavior.

2. --ip-options <options>

Allows you to add custom IP options, such as security labels or routing instructions. Note that many systems ignore or drop packets with these options.

Example:

nmap --ip-options "RR" 192.168.1.1

This sends a packet with the IP Record Route option (useful to trace hops taken).

3. --ttl <value>

Sets a custom Time to Live (TTL) for probe packets.

nmap --ttl 42 192.168.1.1

Use cases:

  • Bypassing TTL-based filters.
  • Detecting hop-based packet filtering or middleboxes.
  • Mimicking another OS’s TTL behavior for evasion or impersonation.

4. --spoof-mac <MAC address|prefix|vendor>

Spoofs the MAC address of the scanning machine.

nmap --spoof-mac Apple 192.168.1.1

Or with a custom MAC:

nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1

Use cases:

  • Simulating specific devices (e.g., phones, routers).
  • Evading MAC-based access controls.

5. --source-port <port>

Forces Nmap to use a specific source port for outgoing packets.

nmap --source-port 53 192.168.1.1

Useful for:

  • Bypassing firewalls that allow DNS or HTTP outbound traffic.
  • Testing firewall rules based on source ports.

6. --mtu <size>

Sets a custom Maximum Transmission Unit for probe packets, often used for packet fragmentation.

nmap --mtu 24 192.168.1.1

This breaks packets into small chunks, which may sneak past some packet inspection systems.

Note: Must be a multiple of 8.

7. --send-eth

Sends raw Ethernet frames instead of IP packets. This is helpful for low-level network manipulation or when IP spoofing is required.

nmap --send-eth 192.168.1.1

8. --badsum

Instructs Nmap to send packets with incorrect TCP/UDP checksums.

nmap --badsum 192.168.1.1

Most systems will silently drop bad packets, but if a target responds, it may indicate a non-standard or misconfigured stack—useful for fingerprinting.

9. --scanflags <flags>

Allows you to set custom TCP flags in probe packets. Flags include:

  • S (SYN)
  • A (ACK)
  • F (FIN)
  • R (RST)
  • P (PSH)
  • U (URG)
  • ECN, CWR (Explicit Congestion Notification)

Example:

nmap -sS --scanflags URGACKPSH 192.168.1.1

This sends a packet with URG, ACK, and PSH flags—common for stealth scans or for triggering unusual responses.

Combining Options: A Custom Crafted Scan

Let’s consider an advanced use case where you want to perform a stealthy, fragmented, OS-mimicking scan that tries to evade simple IDS rules.

nmap -sS --ttl 128 --source-port 53 --data-length 25 --scanflags SYNACK --mtu 32 --spoof-mac Cisco 192.168.1.1

Explanation:

  • -sS: SYN scan (stealthy).
  • --ttl 128: TTL to mimic Windows systems.
  • --source-port 53: Appears like DNS traffic.
  • --data-length 25: Pads packet with random data.
  • --scanflags SYNACK: May confuse IDS expecting SYN-only.
  • --mtu 32: Fragment packets.
  • --spoof-mac Cisco: Looks like a router or switch.

This type of scan would be useful in controlled lab environments for testing IDS/IPS responses or for red team activities (with permission).

Limitations and Considerations

While powerful, manually modifying scan packets with Nmap comes with caveats:

1. Permission Requirements

  • Raw packet features (e.g., --send-eth, --scanflags) require root privileges.
  • OS-level restrictions may block some features or require specific kernel modules.

2. Network Stability

  • Crafting malformed or suspicious packets can crash or destabilize some poorly configured systems.
  • Fragmentation and bad checksums may cause performance issues on target or intermediate devices.
  • Never use these techniques against systems you do not own or have explicit permission to test.
  • Penetration testing must follow ethical guidelines and local laws.

4. Detection Risks

  • While some techniques evade detection, others may raise red flags for advanced monitoring systems (e.g., Suricata or Zeek).
  • Custom packet scans may be logged as anomalies or attacks.

Conclusion

Manually modifying scan packets with Nmap elevates the tool from a general-purpose network scanner to a precision reconnaissance instrument. Whether you’re testing how firewalls respond to spoofed packets or crafting probes for evasion and analysis, these advanced features provide deep insight into target systems and network defenses.

However, with great power comes responsibility. Packet crafting should be used thoughtfully—preferably in test environments—unless you’re a professional engaged in sanctioned security assessments.

As you gain more experience with Nmap and packet structures, you’ll appreciate the flexibility and depth it offers. Keep experimenting, stay curious, and always scan responsibly.

Further Reading and Resources:


< Evading Detection with Slow Scans Using NmapAnalyzing Responses for Deeper Insights with Nmap >