Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Please Comment: General Host Input Option

From: Ron <ron () skullsecurity net>
Date: Sun, 25 Jan 2009 21:18:50 -0600
Cory K. Walker wrote:

The reason I would want to specify a list of decoys over random ones is
this.

Random decoys might not have the properties that an attacker would want.
Instead, the attacker may seek a higher-quality list of decoys that are
known to - for example - reply to a ping.  That way, if the defender
investigates the scan and all source addresses reply (or otherwise behave
uniformly) then it might be more difficult for the defender to ultimately
determine the true source of the attack.  Perhaps the attacker wants all of
his decoys to look like a bunch of Windows Server 2008 machines and
therefore confuse the defender into thinking a new virus or other robot
program is responsible for the scan.

I imagine the use case for this feature would be the following:

The attacker spends a substantial amount of time collecting a list of
desired decoys as a prerequisite to the scan.  After this list is compiled
then the scan is launched against the target using a more-convenient "-DL
decoys.txt" syntax instead of "-D IP_1,IP_2,...,IP_N".


Simulating a worm, eh? That's actually an interesting idea!

Ron

-- 
Ron Bowes
http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: