Re: Sniffing nmap output

[Martin Mačok <martin.macok () underground cz>]

On Sun, Dec 05, 2004 at 10:07:08AM -0500, W S N wrote:

> Could one identify other people running scans

http://www.openwall.com/scanlogd/

Scanlogd is a TCP port scan detection tool, originally designed to
illustrate various attacks an IDS developer has to deal with, for
a Phrack Magazine article (P53-13). Thus, unlike some of the other
port scan detection tools out there, scanlogd is designed to be
totally safe to use.

> or even identify the results of someone else's scan?

Getting the list of open ports:
$ tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'

> For instance, I might be able to passively learn the ports or
> operating system of a system that someone else scanned.

http://lcamtuf.coredump.cx/p0f.shtml

p0f uses a fingerprinting technique based on analyzing the structure
of a TCP/IP packet to determine the operating system and other
configuration properties of a remote host. The process is completely
passive and does not generate any suspicious network traffic.


You may also be interested in Nevo (expensive commercial product):
http://www.tenablesecurity.com/nevo.html

Martin Mačok
IT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org