Re: fooling nmap

[Vanja Hrustic <vanja () relaygroup com>]

Bep Verberk wrote:
> BTW, anyone working on an ID  tool that fingerprints nmap ?  Something that
> would identify an nmap scan, the type of scan, the version of nmap, the OS the
> scan was run from, etc.

Well, snort can recognize nMap scans (and if you use portscan
preprocessor, it will recognize much more), but to identify nMap version
and OS... hmmm... I doubt that you can easily do it. To recognize nMap
version, one would need to know if Fyodor has changed things (related to
scanning itself, like packet load, etc.) in certain versions of nMap -
Fyodor might help with this. But to recognize OS, one would need to do
an nMap scan against the scanning host :) And that topic always brings a
thread that talks about 'legality' of counter-scan, etc, etc :)

Snort is available at http://www.clark.net/~roesch/security.html

Check it (if you haven't already) - it's *lovely* :))) 

IPLog can also recognize nMap scans, and OS fingerprinting. IPlog will
start sending bogus packets back to the scanning host when it encounters
OS fingerprinting, and it is supposed to do the same when it encounters
SYN scans (didn't work for me). I've tried the OS fingerprinting
'fooling' - works very well :)

IPLog is available at http://ojnk.sourceforge.net/

-- 

Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time