Nmap Announce mailing list archives

Re: NMAP guide

From: Fyodor <fyodor () dhp com>
Date: Tue, 6 Apr 1999 03:30:05 -0400 (EDT)

On Mon, 5 Apr 1999, Max Vision wrote:

http://www.whitehats.com/nmap/
(It looks like a good spoofing effort is made but there is a give-away)


I suggest people take a look at this page -- it contains a packet by
packet analysis of what nmap is doing during a typical decoy SYN and OS
scan.

The page also argues that nmap decoy scans are detectable when used
with -sS because nmap doesn't spoof RST packets from the decoys in
response to the SYN|ACK packets received from open ports of the target
host.  People are urged to check out the page and see if they can spot
the problem with the paper on their own.  If you are having trouble,
here is a hint: He broke one of the cardinal rules of decoy scanning.
If you still aren't sure, carefully reread the -D section of the nmap
man page:

       -D <hostname or IP address>
              Causes  a decoy scan to be performed which makes it
              appear to the remote host that the host you specify
              is  scanning  the target network.  You can use this
              option numerous times to make it appear  that  many
              different   machines   are   scanning   the  target
              addresses.  Then  even  if  the  administrators  do
              detect  your stealth scan, they will see 5 or 10 of
              them and will not have any idea which of the  hosts
              were  actually scanning them and which were decoys.

              Note that the hosts you use as decoys should be  up
              or  you  might  accidently  SYN flood your targets.
              Also it will be pretty easy to determine which host
              is  scanning if only one is actually up on the net-
              work.

              Also note that some (stupid) "port scan  detectors"
              will  firewall/deny  routing  to hosts that attempt
              port scans.  Thus you might inadvertantly cause the
              machine  you  scan  to  lose  connectivity with the
              decoy machines you are using.  This could cause the
              target  machines  major  problems  if the decoy is,
              say, its  internet  gateway  or  even  "localhost".
              Thus  you  might want to be careful of this option.
              The real moral of the story is  that  detectors  of
              spoofable port scans should not take action against
              the machine that seems like  it  is  port  scanning
              them!

              This  option  is  only available for FIN,SYN, Xmas,
              and ICMP ping scans.


Cheers,
Fyodor

--
Fyodor                            'finger pgp () www insecure org | pgp -fka'
Like medieval peasants, computer manufacturers and millions of users are
locked in a seemingly eternal lease with their evil landlord, who comes
around every two years to collect billions of dollars of taxes in return
for mediocre services. --Mark Harris, Electronics Times

Current thread:

NMAP guide Lamont Granquist (Apr 05)
- Re: NMAP guide Max Vision (Apr 05)
  - Re: NMAP guide Fyodor (Apr 06)
    - Re: NMAP guide Max Vision (Apr 06)
    - Re: NMAP guide Lamont Granquist (Apr 06)