Nmap Development mailing list archives
Re: Fundumental Questions about NMAP
From: sgarcia <sgarcia () citefa gov ar>
Date: Tue, 5 Sep 2006 11:35:23 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 04 September 2006 10:50, Andreas Ericsson wrote:
uday kumar kunta wrote:Dear Sir, Can you please clarify my simple questions.... 1.how can we block the nmap scans across the network?Use an adaptive firewall that recognizes and auto-blocks hosts that portscans. I have no idea of where to find one, which ones are good, or if it's worth bothering with.
Some, i hope usefull, ideas: Being able to block, first means being able to detect, so: - - p0f used to detect nmap traffic. (You can see an example output of p0f detecting nmap here: http://www.sans.org/resources/idfaq/p0f.php) "P0f is included with many distros, integrated into OpenBSD, amavisd, milter, and so on." The problem is... that last p0f (2.0.7) still can't detect nmap4.11 nor nmap4.20alphaX - - snort can detect nmap traffic. (And try to block it) Snort detection examples using 'nmap -sS -A -F -n -v yy.yy.yy.yy': 09/05-11:06:26.993324 [**] [122:3:0] (portscan) TCP Portsweep [**] {PROTO255} xx.xx.xx.xx -> yy.yy.yy.yy 09/05-11:06:26.993324 [**] [122:1:0] (portscan) TCP Portscan [**] {PROTO255} xx.xx.xx.xx -> yy.yy.yy.yy 09/05-11:07:23.493990 [**] [1:1228:7] SCAN nmap XMAS [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} xx.xx.xx.xx:44805 -> yy.yy.yy.yy:1 There are MANY more portscaners detectors, look here: http://www.softpanorama.org/Security/port_scan_detectors.shtml Keep in mind there will always be false positives. This text is from the book "Network Security Hacks", 'http://hacks.oreilly.com/pub/h/1347' "To thwart Nmap's efforts, we can employ firewall rules that block packets used for operating-system probes. These are fairly easy to spot, since several of them have invalid combinations of TCP flags. Some of the tests that Nmap performs cannot be blocked by PF by simply adding block rules, but they can be blocked if stateful filtering and a default deny policy have been implemented in the ruleset. This is because some of the tests make use of TCP options, which cannot be filtered with PF. To block these fingerprinting attempts with OpenBSD's PF, we can put rules similar to these in our /etc/pf.conf: set block-policy return block in log quick proto tcp flags FUP/WEUAPRSF block in log quick proto tcp flags WEUAPRSF/WEUAPRSF block in log quick proto tcp flags SRAFU/WEUAPRSF block in log quick proto tcp flags /WEUAPRSF block in log quick proto tcp flags SR/SR block in log quick proto tcp flags SF/SF This also has the side effect of logging any attempts to the pflog0 interface. Even if we can't block all of Nmap's tests, we can at least log some of the more unique attempts, and possibly confuse it by providing an incomplete picture of our operating system's TCP stack behavior." cheers sebas
2.Which port is used when nmap run?All of them. That's sort of the idea with a network probing program.
- -- Ing. Sebastián García SI6 - DINFO - CITEFA San Juan B. de La Salle 4397 B1603ALO Villa Martelli - Pcia. Bs. As. Tel: (54-11) 4709-8285 e-mail: sgarcia () citefa gov ar - www.citefa.gov.ar/si6/ http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x4305E810 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE/Ysv/TXddkMF6BARAk3gAJ9xdb3NMg2+tD+gnsaTtaKi7E7lXQCgrzB9 wkgGys+rcjNiVk17xUZ7hJA= =RNEz -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Fundumental Questions about NMAP uday kumar kunta (Sep 04)
- Re: Fundumental Questions about NMAP Andreas Ericsson (Sep 04)
- Re: Fundumental Questions about NMAP sgarcia (Sep 05)
- Re: Fundumental Questions about NMAP Andreas Ericsson (Sep 04)