Penetration Testing mailing list archives
Re: [PEN-TEST] Undetectible NMAP scans
From: Stefan Suurmeijer <stefan () SYMBOLICA NL>
Date: Wed, 23 Aug 2000 13:53:55 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 22 Aug 2000, Steve Cody wrote:
I was recently testing one of my firewalls using nmap. I used an option that I don't use much, the -sX (XMAS scan). I noticed that my ipchains based (Redhat 6.2) firewall did not make a single log entry during the entire scan. Also, the system that I scanned from was able to identify all of the services listening on my system, more importantly, it detected the listening, but blocked, ports. For example, I have port 110 blocked. However, on my internal home network, I connect to it for my POP3 mail. The scan was able to determine that port 110 is listening, even though that system cannot connect to it. The thing that disturbs me is that I was able to do a scan of my system and have it not be detected at all. All previous, and subsequent scans from that same host, if I did not use the -sX option in NMAP, create many entries in my log.
I think it's almost impossible to stop stealth scanning altogether without giving up needed functionality. Personally, I use scanlogd, which nicely detects every kind of scan, including X-mas scans.
Does anyone know what I can do with ipchains to make it more sensitive to this type of scan? I have since installed Port Sentry, so that scan is picked up by it, but still, I don't run Port Sentry on all of my systems for various reasons. Any ideas?
You could probably close up ipchains to the point where scanning is impossible, but only at the expense of making a rule for every single network connection you want to allow. And even if that's possible, of which I'm not sure, for most systems that is probably unworkable. I guess accepting the fact that people can scan you, and making sure you log the scans is the best course of action. Scanlogd works great for me (http://www.false.com/security/scanlogd/)
Steve Cody
Stefan ========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (+31) 50 363 3423 fax: (+31) 50 363 7272 E-mail (business): s.m.suurmeijer () let rug nl E-mail (private): stefan () symbolica nl ========================================== Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5o7tZwVt5lhn5J64RAnDQAJ9zZAdbKsCoupUOZxHTchJHOqKu2wCgv6bB vu/0nQsMYhiHHqQWy8/TFGk= =lUhQ -----END PGP SIGNATURE-----
Current thread:
- [PEN-TEST] Undetectible NMAP scans Steve Cody (Aug 22)
- Re: [PEN-TEST] Undetectible NMAP scans Stefan Suurmeijer (Aug 23)
- Re: [PEN-TEST] Undetectible NMAP scans Devdas Bhagat (Aug 24)
- Re: [PEN-TEST] Undetectible NMAP scans Jose Nazario (Aug 26)
- Re: [PEN-TEST] Undetectible NMAP scans Aj Effin ReznoR (Aug 27)
- Re: [PEN-TEST] Undetectible NMAP scans Swen Schisler (Aug 28)
- Re: [PEN-TEST] Undetectible NMAP scans Devdas Bhagat (Aug 24)
- Re: [PEN-TEST] Undetectible NMAP scans Jan Muenther (Aug 26)
- Re: [PEN-TEST] Undetectible NMAP scans Stefan Suurmeijer (Aug 23)