In Nmap, the --badsum option is a clever and stealthy technique used to test how network devices handle malformed packets—specifically, packets with invalid checksums.

🧪 What Is a Bad Checksum?

A checksum is a value used to verify the integrity of data in a network packet. When a packet is sent, a checksum is calculated and included. The receiving system recalculates the checksum and compares it to the original. If they don’t match, the packet is considered corrupted and usually discarded.

🎯 What Does --badsum Do in Nmap?

The --badsum option tells Nmap to intentionally generate packets with incorrect checksums. These packets should be dropped by any properly functioning TCP/IP stack. However, if a device responds to them, it may indicate:

• A firewall or intrusion detection system (IDS) that doesn’t validate checksums.
• A misconfigured or vulnerable host that processes malformed packets.

🔧 Example Command:

nmap --badsum 192.168.1.1

This sends packets with bad checksums to the target IP. If you get a response, it’s likely from a firewall or device that mishandles packet validation.

🛡️ Use Cases

• Firewall Evasion: Some firewalls may log or respond to malformed packets, revealing their presence.
• Security Testing: Helps identify weak or misconfigured network defenses.
• Network Diagnostics: Useful for understanding how devices handle corrupted traffic.

⚠️ Important Notes

• Use --badsum only in controlled environments or with explicit permission, as it may be flagged as malicious activity.
• Not all systems will respond, and many modern devices correctly discard bad packets.