how to scan hosts protected by reactive firewall/ips?

[Richard Miles <richard.k.miles () googlemail com>]

Hi

I have 10 hosts on the same network protected by a very hostile and
reactive firewall/ips, consequently when I try to scan it I get:

ll 1000 scanned ports on XXX-YYY-ZZZ-AAA.host.com (XXX.YYY.ZZZ.AAA) are filtered
Too many fingerprints match this host to give specific OS details

It happened in all the hosts, while this one in particular has at
least a web server at port 80 and 443, because I can connect with
firefox.

I tried to use -D (Decoy) with 7 hosts, but I got the same results. It
should not happen? Not all hosts can be used as a Decoy? For example
www.microsoft.com ?

I also tried "--scan-delay 2 -randomize-hosts --max-rate 5" and I got
the same problem.

What values in general you use at --scan-delay? And what at --max-rate?

The value of --scan-delay is in seconds?

I'm using for the basic scan the methods "-PN -sV -sC -O ".

Please, advise me other techniques.

Thank you
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/