Nmap Development mailing list archives
IDS evasion through --tcp-options (Was: Re: [nmap-svn] r34903 - nmap)
From: Jacek Wielemborek <d33tah () gmail com>
Date: Tue, 14 Jul 2015 11:47:49 +0200
W dniu 14.07.2015 o 05:19, Daniel Miller pisze:
List, Nmap's unique TCP signature has come up a couple times in the past week. On Tuesday the 7th, a user on IRC wanted to know if Nmap could be fingerprinted based on the static order of the first 28 TCP ports scanned. In reply, I wrote a blog post [1] on how easy it is for IDS and related systems to detect Nmap scans. On Wednesday, Bernhard Thaler sent a patch to address one aspect of this (TCP Window size) [2]. The commit below does not change any functionality, but it makes it simple for a user to compile in different TCP Options that are set for raw TCP SYN packets, since this is another possible way that Nmap could be identified, at least in combination with other features. It is also good programming practice not to have "magic numbers," which extends to literal strings like this scattered throughout the code. Hope you found this interesting! Dan [1] http://blog.bonsaiviking.com/2015/07/they-see-me-scannin-they-hatin.html [2] http://seclists.org/nmap-dev/2015/q3/52
Hello, I like it! I played with your code a bit and implemented --tcp-options command-line switch, patch can be found in [1]. One can combine it with my evader.py script [2] that would generate a hex string that would mimick sender's operating system preferences for TCP options. I know it's kludgy, but it's a proof of concept that could be used for better IDS evasion. What do you think about this? Cheers, d33tah [1] https://gist.github.com/d33tah/3f214bdea50f0ea420bf#file-tcp-options-patch [2] https://gist.github.com/d33tah/3f214bdea50f0ea420bf#file-evader-py
Attachment:
tcp-options.patch
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r34903 - nmap Daniel Miller (Jul 13)
- IDS evasion through --tcp-options (Was: Re: [nmap-svn] r34903 - nmap) Jacek Wielemborek (Jul 14)