Nmap Development mailing list archives

Invalidating Stealth

From: "Crenshaw, Adrian D" <adrian () ius edu>
Date: Tue, 4 Oct 2005 10:57:33 -0500

Hi All,

            I'm working on part two of my Nmap video tutorial (I call it
Nmap 2: Port Scan Boogaloo) and wanted to ask a question. What all flags
cause problems that make stealth/obscuring features less effective? For
example:

 

If you use an idle scan (-sI), but don't use -P0, the true scanning IP
will be given away because of the ping. 

 

Another example would be if you did an idle scan with version and OS
detection turned on (-sV -O or just -A), while the port scan may seem to
come from the zombie, the version/OS detect stuff will appear to come
from the true scanners IP.

 

I also image that the use of decoys could also be invalidated based on
which IPs the scanned host was able to establish three way hand shakes
with during the scans (if version or OS detection was requested).

 

Any others I should mention?

 

Adrian

http://www.irongeek.com <http://www.irongeek.com/>    



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

Current thread:

Invalidating Stealth Crenshaw, Adrian D (Oct 04)
- Re: Invalidating Stealth jonathan roeder (Oct 04)
- Re: Invalidating Stealth Martin Mačok (Oct 05)