Nmap Development mailing list archives
Nmap Decoy Fingerprinting
From: "Who Am I?" <wh0am1terminal () gmail com>
Date: Sat, 25 Nov 2017 20:59:29 -0600
Hey there. I was playing around with the decoy directive (the -D option) when I noticed something about the packets. When close to the end of the scan, the victim's IP address always sends multiple TCP packets with the RST and ACK flags set back to the real scanner's address. Basically, if someone were to scan me with Nmap and use decoy addresses, then I could conclude which address is the real address by looking at the packets sent back to me with the RST and ACK flags set. This observation, if implemented in a smart way, could nullify the purpose of using decoy packets. In fact, I made a simple proof-of-concept program <https://github.com/wh0am11/nmap_decoy_fingerprinting> that can demonstrate this. Basically, this program, when subjected to an Nmap scan with decoys in an isolated network, will determine which one is the real address. Further instructions are provided in the link above. Feel free to ask me questions or mention problems. - S.
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap Decoy Fingerprinting Who Am I? (Dec 01)
- Re: Nmap Decoy Fingerprinting Fyodor (Dec 07)