IDS evasion through --tcp-options (Was: Re: [nmap-svn] r34903 - nmap)

[Jacek Wielemborek <d33tah () gmail com>]

W dniu 14.07.2015 o 05:19, Daniel Miller pisze:
> List,
>
> Nmap's unique TCP signature has come up a couple times in the past week. On
> Tuesday the 7th, a user on IRC wanted to know if Nmap could be
> fingerprinted based on the static order of the first 28 TCP ports scanned.
> In reply, I wrote a blog post [1] on how easy it is for IDS and related
> systems to detect Nmap scans. On Wednesday, Bernhard Thaler sent a patch to
> address one aspect of this (TCP Window size) [2].
>
> The commit below does not change any functionality, but it makes it simple
> for a user to compile in different TCP Options that are set for raw TCP SYN
> packets, since this is another possible way that Nmap could be identified,
> at least in combination with other features. It is also good programming
> practice not to have "magic numbers," which extends to literal strings like
> this scattered throughout the code.
>
> Hope you found this interesting!
> Dan
>
> [1] http://blog.bonsaiviking.com/2015/07/they-see-me-scannin-they-hatin.html
> [2] http://seclists.org/nmap-dev/2015/q3/52

Hello,

I like it! I played with your code a bit and implemented --tcp-options
command-line switch, patch can be found in [1]. One can combine it with
my evader.py script [2] that would generate a hex string that would
mimick sender's operating system preferences for TCP options. I know
it's kludgy, but it's a proof of concept that could be used for better
IDS evasion. What do you think about this?

Cheers,
d33tah

[1]
https://gist.github.com/d33tah/3f214bdea50f0ea420bf#file-tcp-options-patch
[2] https://gist.github.com/d33tah/3f214bdea50f0ea420bf#file-evader-py

Attachment: tcp-options.patch
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/