[Howto] Installing Nemesis on Ubuntu Linux

Ok. Nemesis is a very powerful Packet Crafting/Injection tool for Unix based systems. I have heard that ALLEGEDLY it can be installed/ran on Windows also, ailment but never felt like trying, as I do not use Windows nor is Windows much good for ANYTHING to do with sockets.

Nemesis is similar to tools like “hping” in that you can customize the packet you want to send, and send it. Very useful for playing with low level protocols, and incredible if you want to learn more about the network layer stuff.

For more information on Nemesis, prostate you can always check out the following links…




SO. How do I get Nemesis to work on Ubuntu and such?

Well, most distributions do not have it in their repositories it seems, and just because it is easy to do, let’s compile it from source.

Step One: Install Dependancies

First off we need to install the dependancies it has, so the following two commands should do the trick.

apt-get install libdnet-dev
apt-get install libpcap-dev

No screenshot should be needed here I hope…

Step Two: Install “libnet” to the /usr directory.

Now for convenience, I do my installation in the /usr directory. Don’t ask why, it just seemed right at the time.

The following commands should do this easily for you…

The first three are “preparing the build area”

cd /usr
mkdir nembuild
cd nembuild

The next three are “getting the sources and unpacking them”
wget http://ips-builder.googlecode.com/files/libnet-1.0.2a.tar.gz
tar -xf libnet-1.0.2a.tar.gz
cd Libnet-1.0.2a

The next commands “configure” and make + make install the Libnet libraries.
make && make install

Installing Libnet

So. Now that we have successfully installed Libnet (if you get some wierd errors, leave a comment and I can try help you) we can go on and install Nemesis!

Step Three: Installing Nemesis

So. This is the fun part – where we get to finally install Nemesis.

Assuming you are still in the directory “/usr/nembuild/Libnet-1.0.2a”, just “cd ..”.

Otherwise, “cd /usr/nembuild” so we are all on the same page!

So. Lets prepare our “Environment” for the Nemesis installation by getting and unpacking the sources! The following commands should do it…

wget http://heanet.dl.sourceforge.net/project/nemesis/nemesis/1.4/nemesis-1.4.tar.gz
tar -xf nemesis-1.4.tar.gz
cd nemesis-1.4
Preparing to install Nemesis

So, thats everything prepared. Now for the tricky bit – making it build properly.

Note that I used very specific paths for this – this is because we HAVE to specify THESE libnet libraries!

Now for the next commands…

./configure —with-libnet-includes=/usr/nembuild/Libnet-1.0.2a/include —with-libnet-libraries=/usr/nembuild/Libnet-1.0.2a/lib
make && make install


Installing Nemesis

There we go! Now for usage and such, “man nemesis” is a good place to start – they don’t make those man pages for nothing you know!

Finally, to wrap up, a screenshot of Nemesis!

Nemesis - Screenshot

Nmap – Basic IDS/Firewall Evasion Techniques

This post is a snippet from a Wiki article I am writing for http://blackhatacademy.org and is nowhere NEAR like the full thing. Keep an eye on BHA – when they reopen there will be all kinds of badassery available :D

Now this article was designed to show the BASICS of IDS/IPS/Firewall evasion using nmap. Not covering Idle/ACK and other scans yet – this is kind of a crash course into several methods.

Evasion and Stealth Techniques

Decoy Scanning Decoy Scanning is a very simple technique nmap can use for obfusticating the original source IP address of a port scan. Essentially it sends some of the probes from spoofed IP addresses that the user specify, decease in the hopes that they “mask” the users true IP address in the targets log files. Remember – the users IP will still be in the logs!

  • Example usage:
    • root@bha:~# nmap -sS -sV -Dmicrosoft.com,github.com,fbi.gov,nsa.gov,google.com target.tld

This would launch a “Stealth SYN” scan with Version Fingerprinting against “target.tld”, masquerading as microsoft.com, fbi.gov, nsa.gov and google.com. Note how the decoys are used in the string: -D[Decoy1],[Decoy2] – a comma seperated list. This is the correct way to structure your decoy lists.

Now, this tactic has several glaring issues.

The users are most likely on a DSL or Cable line. This means the users IP address is going to stand out like a sore thumb as it resolves to a cable/DSL provider and NOT a large corporate/government network. So, if the user ais going to scan using Decoys, they make sure to use IP addresses from similar “internet demographics” as them. I.E: If scanning from a Cable/DSL connection, a users decoy bounces should also be DSL/Cable connections.

The other issue with Decoy scanning is that if the users Decoy’s are not, in fact, online/up, the user may accidentally hoze their target. One method that has been used with success is to quickly scan a few ranges known to have home/DSL lines on them, and use the ones that are “up” as decoys.



Some firewalls and IDS systems can be evaded by the correct use of packet fragmentation. Essentially this means “splitting” your packets in an attempt to disguise your traffic. It is a somewhat-decent method when combined with other techniques, however it has been known to slow the scan down somewhat.

  • The following scan string is an example:
    • root@bha:~# nmap -sS -sV -f target.tld

This would fragment the packets sent to target.tld to some degree, and for finer grained control over the packet fragmentation you may manually set the MTU value using the —mtu <value> arguement. It is advised to experiment with this in order to find optimal settings for your scanning.

The MTU must be a multiple of 8 (i.e. a legitimate MTU value) for this to work. Otherwise nmap will just throw an error and exit.

Essentially this technique hopes that IDS/switches/firewalls will not do a great job of reassembling the packets sent, and allow “evil” packets through the filters where they are reassembled and interpreted/replied to by the target system.


Data Length

Some firewall/IDS systems either log, or block, the packets sent by nmap for obvious reasons. One common way to “signature” nmap packets is the default data length, so in order to bypass filters and evade IDS systems, you can specify your own data length for the packets using the —data-length=<value> arguement.

  • The following scan string is an example:
    • root@bha:~# nmap -sS -sV —data-length=1337 target.tld

This would scan “target.tld” with packets of “length” 1337. Effectively this technique adds extra “padding” to the packet, making it look less like a scan-packet and more like a legitimate packet.



NOTE: Timing can be seen as both evasion AND/OR performance related. Staff have no doubt this will cause multiple EDITS so just leave it as-is unless you have a VERY valid reason to edit.

Timing your scans is an excellent way to lower the detection threshold you have. Fast, noisy scans tend to get detected instantly, wheras if the same scan was done incredibly slowly, it has a much smaller chance of detection.

The timing flag works like so: -T<value> where value is 0-5. There are also “key words” you can use like -T aggressive, etc. The key words are paranoid, sneaky, polite, aggressive, insane. They basically do what they say.

  • The following scan string is an example:
    • root@bha:~# nmap -sS -sV -T1 target.tld

This would launch a scan (an incredibly slow one) against target.tld. Remember, slow and sneaky is generally a lot better than loud and fast!

General Evasion Tips:

1. Do several “Scans” of the target. Break your scans up into chunks of “ports of interest”, for example, if you wanted to map out 25 ports on a target server, break them into groups of 5 and scan each group individually with delays between the scans.

2. Layer your source-obfustication techniques. Use both decoys and timing, along with fragmentation, extra “padding”, etc. The more “layers” of hiding the better.
The following scan string is an example:

  • root@bha:~# nmap -Dmicrosoft.com,github.com,fbi.gov,nsa.gov,google.com -sS -sV -T1 -f —mtu=24 —data-length=1227 target.tld
  • The above scan string would use decoys, scan EXTREMELY slowly, fragment the packets, and add padding to them to try make them look more legit.

3. While you should keep your scans slow, you should also keep your “scan time” to a minimum. Break the scan up into several smaller jobs.

Finally, remember: Do not scan any networks you do not own. The information here is so people can see HOW IDS/IPS are evaded for use in pentests or so they can try write IDS/IPS rules to detect these :)