Re: Finding real host in Nmap -D Scans

[H D Moore <hdm () digitaloffense net>]

Have to disagree with the "obsolete" statement. I ran an egress test from 
my cable connection and found no less than 40 different class C networks 
I could spoof packets from. While many of these networks were in the same 
class B subnet, they could still be used to effective obsfucate the real 
source of a port scan. Actually, using a related address makes tracing it 
back even harder, since even TTL tricks and router logs won't help you.

It does narrow down your source to specific provider/geographic area, but 
still doesn't provide you with a single address to report. An intelligent 
attacker would spoof a few dozen scans first from firewalled systems 
located at his own provider (ie. broadband routers that filter 
everything) and only perform the "real" scan with a decoy scan, using the 
scapegoat system as one of the sources. Then again, anyone who wants to 
expend this level of effort could just use the IP ID trick and you would 
never see a single packet from thier real address.

-HD

On Monday 03 March 2003 11:26 pm, Kevin Hodle wrote:
> With most broadband providers, this is an obsolete method of port
> scanning.  Broadband companies like comca$t have very strict egress
> filters, and also 'ip verify reverse-path' on a cisco PIX (stateful)
> will eliminate the possibility of decoy scans being run against
> machines behind the PIX.  Edge routers can also be configured in a
> similar fashion to accommodate external/DMZ machines like IDS's (witch
> should be running a stealth interface anyway.)
>
>
> Kevin Hodle
> CCNA, Network+, A+
> Alexander Open Systems
> Network Operations Center
> kevinh () aos5 com
>
>
> -----Original Message-----
> From: Ryan [mailto:ryan () packetwatch net]
> Sent: Sunday, March 02, 2003 6:25 PM
> To: pen-test () securityfocus com; nmap-dev () insecure org
> Cc: 'Fyodor'
> Subject: Finding real host in Nmap -D Scans
>
>
> Hi All,
>
> I was wondering about the decoy scan in nmap.  Is there a way to tell
> which host in a decoy scan is the real host?  I found a post by Dug
> Song (http://www.geek-girl.com/ids/1999/0057.html), but these methods
> won't work anymore.
>
> First, as Dug Song said nmap now randomizes the ttl fields, and
> secondly you can't narrow it down to a host that can run nmap, because
> nmap can now be run on Windows systems as well.
>
> Ryan Spangler
> http://www.packetwatch.net
>
>
> -----------------------------------------------------------------------
> - ----
> <Pre>Do you know the base address of the Global Offset Table (GOT) on a
> Solaris 8 box? CORE IMPACT does.</Pre> <A
> href="http://www.securityfocus.com/core";>
> http://www.securityfocus.com/core</A>
>
>
> ---------------------------------------------------------------------
> For help using this (nmap-dev) mailing list, send a blank email to
> nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).