Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: things to break..

From: thegnome () NMRC ORG (Simple Nomad)
Date: Tue, 25 Jan 2000 09:28:39 -0600

On Mon, 24 Jan 2000, John Galt wrote:


Yeah, but it portscans every time you bring it up...I wonder if there's a
way to "mask" a scan from portscan or nmap to look like a napster scan?


Certainly. I discussed briefly the idea of masking scan traffic to look
like normal traffic at a SANS talk last October and am currently writing a
paper on just that topic -- masking scans to look like normal traffic, and
therefore be ignored by busy admins looking at logs.

The problem with masking things as a napster server is that there are very
limited scans you can do. The nature of the traffic is not one that lends
itself to portscanning. For example, it is short and bursty (at least
during negotiation of the port). Web traffic on the other hand, is much
easier to mimic because there is so much of it, and would allow you to
cover more ports in a quicker time.

So it could be done but if your intent was masking a port scan there are
other forms of traffic I'd consider first.

-         Simple Nomad        -  No rest for the Wicca'd  -
-      thegnome () nmrc org      -        www.nmrc.org       -
-  thegnome () bos bindview com  -      www.bindview.com     -
Previous By Date Next
Previous By Thread Next

Current thread: