Nmap Development mailing list archives
Re: Implemented non-repeating "extra_payload"
From: Andrew Jason Farabee <afarabee () uci edu>
Date: Fri, 5 Dec 2014 13:48:03 -0800
This is embarrassing, I guess I should have considered that IDS's that go as far as looking at the payload would be able to tell a scan was occurring just based on one IP sending packets to every port. Also, a forensic team could probably determine when a user started a new scan based on timing and scan patterns even if "--data-length" isn't used. The same goes for determining what nmap scripts are looking for. In order to be affected, a script would have to call nmap with new options as a response to another nmap instance's output. And even in that case I think the timing and scan patterns would be enough to determine the same amount about the script, even if "--data-length" wasn't used. And with decoy scans, anyone who is looking at the packets can tell that a decoy scans are taking place based on timing, so it doesn't really matter whether the packets share a payload or have different Sorry for wasting your time, I appreciate how polite you've been. TL;DR The patch is pretty pointless because timing and scan patterns reveal just as much as payload contents. On Fri, Dec 5, 2014 at 7:42 AM, Royce Williams <royce () techsolvency com> wrote:
On Wed, Dec 3, 2014 at 8:01 PM, Fyodor <fyodor () nmap org> wrote:On Fri, Nov 21, 2014 at 2:46 PM, Andrew Jason Farabee <afarabee () uci edu> wrote:I'm sure you all are busy but I was wondering if anyone could take a look at my changes to the nmap git at https://github.com/andrewfarabee/nmap and let me know what you think. The changes are very minimal and it still runs effieciently. I'm also attaching a paper on the logic behind the changes. Thanks a lot for your time, I would appreciate any feedback!Thanks for the interesting writeup and patch! It's not really clear which is "better" in general--the current fixed string behavior or choosing new random packet data for each packet. There are (tiny) advantages and disadvantages to each. But it is good that your patch is available in case anyone ever encounters a need for that behavior.Andrew, which specific IDS/IPS/etc currently detect scanning based on the characteristics that your patch changes, and no longer detect nmap scans when your patch is applied? Royce
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Implemented non-repeating "extra_payload" Andrew Jason Farabee (Nov 22)
- Re: Implemented non-repeating "extra_payload" Fyodor (Dec 05)
- Re: Implemented non-repeating "extra_payload" Royce Williams (Dec 05)
- Re: Implemented non-repeating "extra_payload" Andrew Jason Farabee (Dec 05)
- Re: Implemented non-repeating "extra_payload" Royce Williams (Dec 05)
- Re: Implemented non-repeating "extra_payload" Fyodor (Dec 05)