Nmap Development mailing list archives
Re: Very stealth mode for the OS detection
From: Mikael Olsson <mikael.olsson () enternet se>
Date: Tue, 22 Aug 2000 14:55:36 +0200
Nicolas Gregoire wrote:
I wonder why there isn't a very stealth mode for OS detection (please note I haven't read nmap-dev mailing-list archive) Using some kind of "strange" ICMP packets
IMHO, "strange" ICMP packets is not very stealthy. Any IDS or firewall is likely to cry foul for pretty much any type of ICMP that it doesn't expect. Firewalls are likely to block ICMP completely. Stray TCP ACKs or FINs are much better for stealth scans, since they're part of normal traffic. Not all TCP scans of nmap are stealthy though. XMAS scans are not stealth at all, since that bit will trigger alarms in anything but the dumbest packet filters :) One of the biggest benefits of TCP fingerprinting is that you can fire a scan off at a single port. For instance, port 80 of a web server, and be certain that it'll get through. So, just by being a little selective in what scans you perform, you can be _very_ stealthy. I guess you'll have to go compare your results against the fingerprint databases manually, but, hey, what do you expect :) -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05 Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50 WWW: http://www.enternet.se/ E-mail: mikael.olsson () enternet se --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Very stealth mode for the OS detection Nicolas Gregoire (Aug 22)
- Re: Very stealth mode for the OS detection Mikael Olsson (Aug 22)