Nmap Development mailing list archives
Re: SYN Scan values - article
From: Martin Mačok <martin.macok () underground cz>
Date: Fri, 23 Jun 2006 10:52:30 +0200
On Wed, Jun 21, 2006 at 11:11:24PM -0400, kx wrote:
Set the DF bit.
This raises a possibility that SYN packet will not get through, doesn't it?
Set the TTL to 64 or 128 or vary by OS
This way we could reveal the distance of the scanner from the target. No big deal, though...
Also, another thing I was wondering about, is what does our RST signature look like compared to real OSes?
Nmap doesn't generate RST by itself but (generally) it is being generated by the OS the scanner is running on (as a response to unsolicited SYN+ACK packets coming back from the target). Hence, the RST should match the real OS the scanner is running on.
I am just trying to think of ways to make our SYN scans stick out less to potential IDS rules. Curious on your thoughts.
Well, I think that we would still match from a behavior point of view (too many SYNs to different ports over short time period). Martin Mačok ICT Security Consultant _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- SYN Scan values - article kx (Jun 21)
- Re: SYN Scan values - article Felix Gröbert (Jun 22)
- Re: SYN Scan values - article Martin Mačok (Jun 23)
- Re: SYN Scan values - article kx (Jun 24)
- Re: SYN Scan values - article Fyodor (Jun 24)
- Re: SYN Scan values - article Martin Mačok (Jun 25)
- Re: SYN Scan values - article kx (Jun 24)