Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Implemented non-repeating "extra_payload"

From: Andrew Jason Farabee <afarabee () uci edu>
Date: Fri, 5 Dec 2014 13:48:03 -0800
This is embarrassing, I guess I should have considered that IDS's that go
as far as looking at the payload would be able to tell a scan was occurring
just based on one IP sending packets to every port.

Also, a forensic team could probably determine when a user started a new
scan based on timing and scan patterns even if "--data-length" isn't used.

The same goes for determining what nmap scripts are looking for.  In order
to be affected, a script would have to call nmap with new options as a
response to another nmap instance's output.  And even in that case I think
the timing and scan patterns would be enough to determine the same amount
about the script, even if "--data-length" wasn't used.

And with decoy scans, anyone who is looking at the packets can tell that a
decoy scans are taking place based on timing, so it doesn't really matter
whether the packets share a payload or have different

Sorry for wasting your time, I appreciate how polite you've been.

TL;DR
The patch is pretty pointless because timing and scan patterns reveal just
as much as payload contents.

On Fri, Dec 5, 2014 at 7:42 AM, Royce Williams <royce () techsolvency com>
wrote:


On Wed, Dec 3, 2014 at 8:01 PM, Fyodor <fyodor () nmap org> wrote:



On Fri, Nov 21, 2014 at 2:46 PM, Andrew Jason Farabee <afarabee () uci edu>
wrote:


I'm sure you all are busy but I was wondering if anyone could take a
look at my changes to the nmap git at
https://github.com/andrewfarabee/nmap and let me know what you think.
The changes are very minimal and it still runs effieciently. I'm also
attaching a paper on the logic behind the changes.  Thanks a lot for your
time, I would appreciate any feedback!



Thanks for the interesting writeup and patch!  It's not really clear
which is "better" in general--the current fixed string behavior or choosing
new random packet data for each packet.  There are (tiny) advantages and
disadvantages to each.  But it is good that your patch is available in case
anyone ever encounters a need for that behavior.



Andrew, which specific IDS/IPS/etc currently detect scanning based on the
characteristics that your patch changes, and no longer detect nmap scans
when your patch is applied?

Royce


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: