Nmap Development mailing list archives
Re: Sniffing nmap output
From: Martin Mačok <martin.macok () underground cz>
Date: Sun, 5 Dec 2004 17:44:12 +0100
On Sun, Dec 05, 2004 at 10:07:08AM -0500, W S N wrote:
Could one identify other people running scans
http://www.openwall.com/scanlogd/ Scanlogd is a TCP port scan detection tool, originally designed to illustrate various attacks an IDS developer has to deal with, for a Phrack Magazine article (P53-13). Thus, unlike some of the other port scan detection tools out there, scanlogd is designed to be totally safe to use.
or even identify the results of someone else's scan?
Getting the list of open ports: $ tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'
For instance, I might be able to passively learn the ports or operating system of a system that someone else scanned.
http://lcamtuf.coredump.cx/p0f.shtml p0f uses a fingerprinting technique based on analyzing the structure of a TCP/IP packet to determine the operating system and other configuration properties of a remote host. The process is completely passive and does not generate any suspicious network traffic. You may also be interested in Nevo (expensive commercial product): http://www.tenablesecurity.com/nevo.html Martin Mačok IT Security Consultant --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- Sniffing nmap output W S N (Dec 05)
- Re: Sniffing nmap output Martin Mačok (Dec 05)
- <Possible follow-ups>
- RE: Sniffing nmap output Sean Warnock (Dec 05)