RE: how to scan hosts protected by reactive firewall/ips?

[Stephen Kleine <skleine.h6foc1 () cwfinc com>]

I've run into the same thing against Watchguard firewalls; using the -T2 switch seems to get around the IPS for -most- 
of them, although I've been fighting against one that trips regardless. I've yet to use -T1 against that particular 
firewall.

-----Original Message-----
From: Richard Miles [mailto:richard.k.miles () googlemail com] 
Sent: Wednesday, May 12, 2010 12:29 PM
To: nmap-dev () insecure org
Subject: how to scan hosts protected by reactive firewall/ips?

Hi

I have 10 hosts on the same network protected by a very hostile and
reactive firewall/ips, consequently when I try to scan it I get:

ll 1000 scanned ports on XXX-YYY-ZZZ-AAA.host.com (XXX.YYY.ZZZ.AAA) are filtered
Too many fingerprints match this host to give specific OS details

It happened in all the hosts, while this one in particular has at
least a web server at port 80 and 443, because I can connect with
firefox.

I tried to use -D (Decoy) with 7 hosts, but I got the same results. It
should not happen? Not all hosts can be used as a Decoy? For example
www.microsoft.com ?

I also tried "--scan-delay 2 -randomize-hosts --max-rate 5" and I got
the same problem.

What values in general you use at --scan-delay? And what at --max-rate?

The value of --scan-delay is in seconds?

I'm using for the basic scan the methods "-PN -sV -sC -O ".

Please, advise me other techniques.

Thank you

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/