Re: Very stealth mode for the OS detection

[Mikael Olsson <mikael.olsson () enternet se>]

Nicolas Gregoire wrote:
> I wonder why there isn't a very stealth mode for OS detection
> (please note I haven't read nmap-dev mailing-list archive)
> Using some kind of "strange" ICMP packets

IMHO, "strange" ICMP packets is not very stealthy. Any IDS
or firewall is likely to cry foul for pretty much any type
of ICMP that it doesn't expect. Firewalls are likely
to block ICMP completely.

Stray TCP ACKs or FINs are much better for stealth scans, since
they're part of normal traffic. Not all TCP scans of nmap
are stealthy though. XMAS scans are not stealth at all, since
that bit will trigger alarms in anything but the dumbest
packet filters :)

One of the biggest benefits of TCP fingerprinting is that you can
fire a scan off at a single port. For instance, port 80 
of a web server, and be certain that it'll get through.

So, just by being a little selective in what scans you perform,
you can be _very_ stealthy. I guess you'll have to go compare
your results against the fingerprint databases manually, but,
hey, what do you expect :)

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson () enternet se

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).