Penetration Testing mailing list archives
RE: Changing Source Port For Nmap Idle Scan
From: Omar Herrera <oherrera () prodigy net mx>
Date: Mon, 28 Mar 2005 21:06:18 -0600
You can't do that directly; there is no option specific to -sI that will allow you to change the source port (at least none that I'm aware of). The documentation for -g (--source_port) states that nmap will ignore this parameter if it doesn't think it applies to a certain combination of options (and this seems to be the case here). Yet, you can overcome this more or less easily. Q&D solution to avoid messing up with nmap's code: put a redirection filter on the machine that you are scanning from. You can use iptables and POSTROUTING with Linux, for example (since you are only mangling traffic coming from the spoofed address this shouldn't affect other networking capabilities). Simply put a rule like this one (assuming you have iptables up and running with all required modules): iptables -A POSTROUTING -t nat -p tcp -s 192.168.1.101 -j SNAT --to 192.168.1.101:139 In this example, 192.168.1.101 is the address of the Zombie. So, anything you spoof using TCP and this address as source will be changed, so that the source port is 139. Run nmap with idlescan option like this (target here is 192.168.1.254): nmap -sI 192.168.1.101 192.168.1.254 And there you go. Note that if you append the --packet_trace option to nmap you will still see that packets are coming from port 80 (nmap sees these packets before postrouting processing takes place). To be sure, just put a protocol analyzer listening (even on the same machine running the scan) and you will see that packets are being mangled properly, and the source port is still 139, in this example. This will apply as well when scanning selected ports. I hope this helps. Kind regards, Omar Herrera
-----Original Message----- From: SecureHacK [mailto:debonaire52 () hotmail com] Sent: Sunday, March 27, 2005 8:51 PM To: pen-test () securityfocus com Subject: Changing Source Port For Nmap Idle Scan Hello I have a quick question I have been experimenting with idle scanning and I have read the paper on it and I have an understanding of what goes on during the process I am also an avid nmap user.What I am trying to figure out is is there anyway to change the port to use during the idle scan by default it's port 80 so using the -g option it should change the source port to whatever I want I have used this option but it still only uses port 80 is this changeable? For example find a machine with port 139 open could we change our source port to 139 and use that? Cheers
Current thread:
- Changing Source Port For Nmap Idle Scan SecureHacK (Mar 28)
- Re: Changing Source Port For Nmap Idle Scan Joachim Schipper (Mar 29)
- RE: Changing Source Port For Nmap Idle Scan Omar Herrera (Mar 29)