Nmap Announce mailing list archives
Re: NMAP guide
From: Fyodor <fyodor () dhp com>
Date: Tue, 6 Apr 1999 03:30:05 -0400 (EDT)
On Mon, 5 Apr 1999, Max Vision wrote:
http://www.whitehats.com/nmap/ (It looks like a good spoofing effort is made but there is a give-away)
I suggest people take a look at this page -- it contains a packet by packet analysis of what nmap is doing during a typical decoy SYN and OS scan. The page also argues that nmap decoy scans are detectable when used with -sS because nmap doesn't spoof RST packets from the decoys in response to the SYN|ACK packets received from open ports of the target host. People are urged to check out the page and see if they can spot the problem with the paper on their own. If you are having trouble, here is a hint: He broke one of the cardinal rules of decoy scanning. If you still aren't sure, carefully reread the -D section of the nmap man page: -D <hostname or IP address> Causes a decoy scan to be performed which makes it appear to the remote host that the host you specify is scanning the target network. You can use this option numerous times to make it appear that many different machines are scanning the target addresses. Then even if the administrators do detect your stealth scan, they will see 5 or 10 of them and will not have any idea which of the hosts were actually scanning them and which were decoys. Note that the hosts you use as decoys should be up or you might accidently SYN flood your targets. Also it will be pretty easy to determine which host is scanning if only one is actually up on the net- work. Also note that some (stupid) "port scan detectors" will firewall/deny routing to hosts that attempt port scans. Thus you might inadvertantly cause the machine you scan to lose connectivity with the decoy machines you are using. This could cause the target machines major problems if the decoy is, say, its internet gateway or even "localhost". Thus you might want to be careful of this option. The real moral of the story is that detectors of spoofable port scans should not take action against the machine that seems like it is port scanning them! This option is only available for FIN,SYN, Xmas, and ICMP ping scans. Cheers, Fyodor -- Fyodor 'finger pgp () www insecure org | pgp -fka' Like medieval peasants, computer manufacturers and millions of users are locked in a seemingly eternal lease with their evil landlord, who comes around every two years to collect billions of dollars of taxes in return for mediocre services. --Mark Harris, Electronics Times
Current thread:
- NMAP guide Lamont Granquist (Apr 05)
- Re: NMAP guide Max Vision (Apr 05)
- Re: NMAP guide Fyodor (Apr 06)
- Re: NMAP guide Max Vision (Apr 06)
- Re: NMAP guide Lamont Granquist (Apr 06)
- Re: NMAP guide Fyodor (Apr 06)
- Re: NMAP guide Max Vision (Apr 05)