Penetration Testing mailing list archives
Re: Request for discussion on defending against specific Nmap TCP syn and version scans.
From: Martin Mačok <martin.macok () underground cz>
Date: Thu, 2 Mar 2006 09:02:55 +0100
On Wed, Mar 01, 2006 at 09:53:22AM -0800, Smith, Chris wrote:
IPTables rule tweaks that can block particular scan types while still allowing legitimate connections.
Nothing against hardening TCP/IP stack and filtering packets out unless it violates RFCs ... You could easily block Xmas, Null and this sort of scan probes but you can't easily detect and block slow SYN or CONNECT probing...
Nmap -sV -P0 -T4 -p 80 -vv X.X.X.X It's probable that the scan results are being dumped out as xml which is then parsed by other scripts for the sole purpose of getting the target IP on a web app exploit attempt list of some type.
How much probable? Nmap is not blackhat-only tool used with malicious intentions ... it is simply tool to get usefull information about the box, both of use for blackhats and whitehats...
The logical conclusion that one might make would be, that if this initial scan could be blocked, it could prevent a plethora of specific, targeted, future exploit attempts.
I think "prevent" is a too much strong word here. I think it just obfuscates the service a bit which may only have some rather small effect on a statistical probability of a succesfull attack ... Also remember that there are many type of attacks that do not precede with info gathering/fingerprinting phase ... (fe. worms). By the way, if you detect and block Nmap version scan by signatures then nmap-service-probes file could always be changed to a different set of probes or tweaked until you can't distinguish it from regular traffic patterns... sound like a classic virus/antivirus race game... Don't take me wrong. I'm definitely _not_ against IDS's ability to detect Nmap/Nessus/Whatever activity and flagging it out an interesting security-relevant event ... but I'm also not sure if this discussion belongs to pen-test. Martin Mačok ICT Security Consultant ------------------------------------------------------------------------------ This List Sponsored by: Lancope "Discover the Security Benefits of Cisco NetFlow" Learn how Cisco NetFlow enables cost-effective security across distributed enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) and Response solution, leverages Cisco NetFlow to provide scalable, internal network security. Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response Systems in the Enterprise." http://www.lancope.com/resource/ ------------------------------------------------------------------------------
Current thread:
- Request for discussion on defending against specific Nmap TCP syn and version scans. Smith, Chris (Mar 01)
- Re: Request for discussion on defending against specific Nmap TCP syn and version scans. Martin Mačok (Mar 02)
- Bank pen test Noe Espinoza Mancillas (Mar 02)
- RE: Bank pen test Andy Meyers (Mar 03)
- RE: Bank pen test mystic33 (Mar 03)
- Re: Bank pen test Noe Espinoza Mancillas (Mar 03)
- Re: Bank pen test Rick Zhong (Mar 03)
- RE: Bank pen test Omar A. Herrera (Mar 04)
- <Possible follow-ups>
- Re: Request for discussion on defending against specific Nmap TCP syn and version scans. revnic (Mar 02)
(Thread continues...)