Nmap Development mailing list archives
Re: Finding real host in Nmap -D Scans
From: H D Moore <hdm () digitaloffense net>
Date: Tue, 4 Mar 2003 00:02:34 -0600
Have to disagree with the "obsolete" statement. I ran an egress test from my cable connection and found no less than 40 different class C networks I could spoof packets from. While many of these networks were in the same class B subnet, they could still be used to effective obsfucate the real source of a port scan. Actually, using a related address makes tracing it back even harder, since even TTL tricks and router logs won't help you. It does narrow down your source to specific provider/geographic area, but still doesn't provide you with a single address to report. An intelligent attacker would spoof a few dozen scans first from firewalled systems located at his own provider (ie. broadband routers that filter everything) and only perform the "real" scan with a decoy scan, using the scapegoat system as one of the sources. Then again, anyone who wants to expend this level of effort could just use the IP ID trick and you would never see a single packet from thier real address. -HD On Monday 03 March 2003 11:26 pm, Kevin Hodle wrote:
With most broadband providers, this is an obsolete method of port scanning. Broadband companies like comca$t have very strict egress filters, and also 'ip verify reverse-path' on a cisco PIX (stateful) will eliminate the possibility of decoy scans being run against machines behind the PIX. Edge routers can also be configured in a similar fashion to accommodate external/DMZ machines like IDS's (witch should be running a stealth interface anyway.) Kevin Hodle CCNA, Network+, A+ Alexander Open Systems Network Operations Center kevinh () aos5 com -----Original Message----- From: Ryan [mailto:ryan () packetwatch net] Sent: Sunday, March 02, 2003 6:25 PM To: pen-test () securityfocus com; nmap-dev () insecure org Cc: 'Fyodor' Subject: Finding real host in Nmap -D Scans Hi All, I was wondering about the decoy scan in nmap. Is there a way to tell which host in a decoy scan is the real host? I found a post by Dug Song (http://www.geek-girl.com/ids/1999/0057.html), but these methods won't work anymore. First, as Dug Song said nmap now randomizes the ttl fields, and secondly you can't narrow it down to a host that can run nmap, because nmap can now be run on Windows systems as well. Ryan Spangler http://www.packetwatch.net ----------------------------------------------------------------------- - ---- <Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does.</Pre> <A href="http://www.securityfocus.com/core"> http://www.securityfocus.com/core</A> --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
--------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Finding real host in Nmap -D Scans Ryan (Mar 02)
- <Possible follow-ups>
- RE: Finding real host in Nmap -D Scans Kevin Hodle (Mar 03)
- Re: Finding real host in Nmap -D Scans H D Moore (Mar 03)
- Re: Finding real host in Nmap -D Scans Fyodor (Mar 03)
- RE: Finding real host in Nmap -D Scans Lampe, John W. (Mar 03)
- RE: Finding real host in Nmap -D Scans Alexander Bartolich (Mar 04)