Tech Life Daily

Forum

Forums
Main Category
Main Forum
Ethical Hacking
Learn TCP fragmente…
 
Notifications
Clear all

Learn TCP fragmented scan

 
Ethical Hacking
Last Post by josh 4 weeks ago
1 Posts
1 Users
0 Reactions
8 Views
RSS
 josh
(@josh)
Member Admin
Joined: 2 months ago
Posts: 510
Topic starter 16/08/2025 6:43 pm  

Let’s break down the concept of a TCP Fragmented Scan—a stealthy technique used in network reconnaissance and penetration testing 🕵️‍♂️💻.

🌐 What Is TCP Fragmented Scan?

A TCP Fragmented Scan is a method of scanning a target system by sending fragmented TCP packets instead of full packets. The goal is to evade intrusion detection systems (IDS) and firewalls that inspect packet headers for suspicious activity.

🧠 Why Fragment Packets?

Most security devices analyze the first few bytes of a packet to determine if it’s malicious. By fragmenting the packet into smaller pieces, the scanner can:

  • Bypass deep packet inspection
  • Avoid detection by signature-based IDS
  • Slip through firewalls that don’t reassemble fragmented packets

🧱 How It Works

Here’s a simplified breakdown:

  1. Fragmentation: The TCP packet (usually a SYN packet used in scanning) is split into multiple IP fragments.
  2. Transmission: These fragments are sent separately to the target.
  3. Reassembly: The target system reassembles the fragments and responds normally.
  4. Detection: The scanner interprets the response to determine if the port is open, closed, or filtered.

🛠️ Tools That Support TCP Fragmented Scans

Tool Description
nmap Popular network scanner with support for fragmented scans
hping3 Packet crafting tool for custom scans
Scapy Python-based packet manipulation tool

Example with Nmap:

nmap -f <target-ip>
  • -f tells Nmap to fragment packets into 8-byte segments.
  • You can also use --mtu to specify a custom fragment size:
nmap --mtu 24 <target-ip>

🔍 Use Cases

  • Stealth scanning in environments with strict monitoring
  • Bypassing firewalls that block standard scans
  • Evading IDS/IPS that don’t reassemble fragmented packets

⚠️ Limitations & Risks

  • Not foolproof: Advanced IDS/IPS systems can reassemble fragments and detect the scan.
  • Slower: Fragmented scans take longer due to packet reassembly.
  • May trigger alerts: Some systems flag fragmented packets as suspicious.
  • Legal concerns: Always get permission before scanning networks you don’t own.

🧪 Detection & Defense

To defend against fragmented scans:

  • Use IDS/IPS systems that support packet reassembly (e.g., Snort, Suricata)
  • Configure firewalls to drop fragmented packets or inspect them deeply
  • Monitor for unusual fragmentation patterns in network traffic

 


   
Quote
Forum Jump:
  Previous Topic
Next Topic  
Share: