Re: randomization of sequence numbers in nmap 2.03

[ajax <ajax () mobis com>]

Hi,

Something i've been thinking about is adding the ability for nmap to take
its list of hosts that its scanning for and randomize all hosts, scanning 
for ports on one host at a time. This has several benefits, clearest of
which is that it doesnt appear like one is hammering one network for
any length of time.  Manytimes, multiple machines log syslogd to one box.

Also, the changes I wrote to nmap previously, the vulnerability scanning
functions, are mostly complete, i've gotten it down to where it can scan
one host correctly with no problems.  However, attempts to do multiple
IP's for some reason cause it to segfault.  I'm still ironing it out, and
if some people would like to work with me on it, it would be greatly
appreciated.  Check out the diffs for 2.01 on www.mobis.com/ajax/code/nmap

ajax



On Wed, 3 Feb 1999, HD Moore wrote:

> An easy way to detect an nmap 2.03 syn scan is by looking through
> traffic for multiple packets with the same sequence number.  A tcpdump
> output parsing script I wrote will dig all the syn's out of a traffic
> dump, hash them and compare by sequence number to find sets where the
> number of packets with the same sequence number is over a threshold. The
> quick-fix for nmap.c is attached, if anyone wants the script drop me a
> note.
>
> -HD