Re: Different ways to portscan IPS

[Daniel Miessler <daniel () danielmiessler com>]

On Nov 20, 2009, at 6:02 AM, Vimal™ wrote:

> What are the different ways of port scanning the target when an IPS in placed.
>
> Some of the methods I used are:
>
> 1. Delay the scan prob (nmap --scan-delay)
>
> 2. Integrating the scanner with TOR

A couple of things to think about. Look at what normal SYNs look like, and try and emmulate them. Look at what bad SYNs 
look like, and don't look like those. I posted this a while back: http://danielmiessler.com/study/synpackets/ which 
shows that there are differences in traffic created by regular applications and traffic created by security tools.

Take notice of this, and adjust accordingly.

Also, just for giggles, consider using the decoy option with Nmap and loading in a list of DShield blacklisted 
addresses (assuming you're not trying to be quiet). It's likely to throw most off your trail.

--
Daniel R. Miessler
W: http://danielmiessler.com
E: daniel () danielmiessler com
P: 0x4048712D


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------