Re: nmap -S option

[Cedric Blancher <blancher () cartel-securite fr>]

Le mercredi 14 février 2007 à 01:13 -0800, Baris Erdogan a écrit :
> When i use "nmap -sS targetaddress -S spoofaddress -e eth0" command,
> nmap does not show open ports at end of scan.
> i wanna know whether this is normal case or not. 
> do i misuse nmap options?

-S is used to spoof source IP addresse. So, if you spoof a source
address, there's a considerable chance you may not get the replies from
your target, as they will be destined to the very IP address you're
spoofing. Usually, -S parameter is mostly used for decoys, although a
dedicated option is available for that purpose.

Now, practical example, where you're A spoofing C to scan B:

          A ---- SYN(src=C) ----> B ---- SYN/ACK ----> C

A does not see any reply from B, deducing there are only filtered ports
on B. OK ? If you want to actualy get something back from your scan,
you'll have to make sure replies from B to C come back to A, like ARP
cache poisoning or any traffic redirection technic you may think of.

You can also think of using Idle Scan technic provided you can predict C
is idle and has a predictable IP Ids generator. You can find more info
on Nmap website:

        http://insecure.org/nmap/idlescan.html

Using nmap, you will launch:

        nmap -sI spoofaddress:openport targetaddress -e eth0


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> > Hi! I'm your friendly neighbourhood signature virus.
> > Copy me to your signature file and help me spread!

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------