Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Nmap Decoy Fingerprinting

From: "Who Am I?" <wh0am1terminal () gmail com>
Date: Sat, 25 Nov 2017 20:59:29 -0600
Hey there.

I was playing around with the decoy directive (the -D option) when I
noticed something about the packets. When close to the end of the scan, the
victim's IP address always sends multiple TCP packets with the RST and ACK
flags set back to the real scanner's address.
Basically, if someone were to scan me with Nmap and use decoy addresses,
then I could conclude which address is the real address by looking at the
packets sent back to me with the RST and ACK flags set.
This observation, if implemented in a smart way, could nullify the purpose
of using decoy packets.
In fact, I made a simple proof-of-concept program
<https://github.com/wh0am11/nmap_decoy_fingerprinting> that can demonstrate
this. Basically, this program, when subjected to an Nmap scan with decoys
in an isolated network, will determine which one is the real address.
Further instructions are provided in the link above.

Feel free to ask me questions or mention problems.

- S.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: