Newbie : NMAP decoy mode?
Results 1 to 10 of 10

Thread: Newbie : NMAP decoy mode?

  1. #1
    Senior Member
    Join Date
    Nov 2002
    Posts
    382

    Post Newbie : NMAP decoy mode?


    Does any body knows about decoy mode in nmap, seems to be a bounce features or something?


    [blur]HEBUS le troll des montagnes [/blur]

  2. #2
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    3 choices about this thread for getting no responses:

    1- Subject is for dumbs (I quite agree -> I'll delete it if possible)
    2- Nobody care about decoy nmap option
    3- Nobody knows about decoy nmap option

    For the guys in 3- decoy allows to hide a valid scan probe into a storm (n probes with different source @ only one is the scanner's) => It's a way to try anonymous scan
    [shadow] SHARING KNOWLEDGE[/shadow]

  3. #3
    Most Admin Security packages can detect almost any nmap scan… As far as an anonymous scan, how could one catch something like this? Are there any known methods to detect this sort of scan? I’ll look…

    Also, another good question: What other scanners do hax0rs use? And how can they be detected? What software packages claim this?

    . Causes a decoy scan to be performed which makes it
    . appear to the remote host that the host(s) you
    . specify as decoys are scanning the target network
    . too. Thus their IDS might report 5-10 port scans
    . from unique IP addresses, but they won't know which
    . IP was scanning them and which were innocent
    . decoys. While this can be defeated through router
    . path tracing, response-dropping, and other "active"
    . mechanisms, it is generally an extremely effective
    . technique for hiding your IP address.


    http://www.linuxkurser.nu/manpage.html
    When you connect to your ISP, you are potentially opening your computer to the world. There are \'naughty people\' out there who enjoy breaking into other people\'s computers. Give some thought to the security of your computer...
    http://www.AntiOnline.com/sig.php?imageid=360

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The decoy scan is _entirely_ reliant on the time, money and determination of the attacked sysadmin. The decoy works by flooding with spoofed addresses and having the scanners own IP hidden in a large number of scans. Wanna find the source? Ping away and make note of the TTL returned. Look at the logs of the scans and determine which IP(s) match the number of hops. Ping not working? Use tracert instead..... It'll give you a good idea of the probable source even if it doesn't go all the way...... It also takes time.... but it could be scripted and logged.

    So.... now we have a short list of sources...... Now let's say the destination, (scanned), network was the FBI....... Wanna guess how long and how much of your tax dollars they will spend since 9/11? I would think that anyone serious about attacking a deep pocketed, sensitive subject network would probably stay soooooo far away from a decoy scan that it would be frightening..... It's a lot like saying "here I am Mr. Gman... Come fetch me"......<LOL>

    Now, of course, if you are going after "Cleetus' Online Butchery and Bait Shop" that he runs from his own outhouse he probably won't be bothered going through 1000 ping/tracert tests to see if he can find you........
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    It's a gas!
    Join Date
    Jul 2002
    Posts
    699
    Results for man nmap

    NMAP(1) NMAP(1)


    -D <decoy1 [,decoy2][,ME],...>
    Causes a decoy scan to be performed which makes it
    appear to the remote host that the host(s) you
    specify as decoys are scanning the target network
    too. Thus their IDS might report 5-10 port scans
    from unique IP addresses, but they won't know which
    IP was scanning them and which were innocent
    decoys. While this can be defeated through router
    path tracing, response-dropping, and other "active"
    mechanisms, it is generally an extremely effective
    technique for hiding your IP address.

    Separate each decoy host with commas, and you can
    optionally use 'ME' as one of the decoys to repre-
    sent the position you want your IP address to be
    used. If your put 'ME' in the 6th position or
    later, some common port scan detectors (such as
    Solar Designer's excellent scanlogd) are unlikeley
    to show your IP address at all. If you don't use
    'ME', nmap will put you in a random position.

    Note that the hosts you use as decoys should be up
    or you might accidently SYN flood your targets.
    Also it will be pretty easy to determine which host
    is scanning if only one is actually up on the net-
    work. You might want to use IP addresses instead
    of names (so the decoy networks don't see you in
    their nameserver logs).

    Also note that some (stupid) "port scan detectors"
    will firewall/deny routing to hosts that attempt
    port scans. Thus you might inadvertantly cause the
    machine you scan to lose connectivity with the
    decoy machines you are using. This could cause the
    target machines major problems if the decoy is,
    say, its internet gateway or even "localhost".
    Thus you might want to be careful of this option.
    The real moral of the story is that detectors of
    spoofable port scans should not take action against
    the machine that seems like it is port scanning
    them. It could just be a decoy!

    Decoys are used both in the initial ping scan
    (using ICMP, SYN, ACK, or whatever) and during the
    actual port scanning phase. Decoys are also used
    during remote OS detection ( -O ).

    It is worth noting that using too many decoys may
    slow your scan and potentially even make it less
    accurate. Also, some ISPs will filter out your
    spoofed packets, although many (currently most) do
    not restrict spoofed IP packets at all.
    Is that what youre looking for?

  6. #6
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    I agree with Tiger Shark. I do network security for a large network. I personally could not care
    less about spoofed addy's and the such during a network scan. Who cares!!! It is only a scan.
    When I start seeing hacks flying across to my network then I start to pay attention. Then I do
    a pull on the ip for the entire day and or week ;-)

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    (A little off the subject but.....)

    I read an interesting article a while back about a group of guys who are actively testing a new "IDS" system. The premise of this device is to identify (through "smart" filtering) potential real threats by analysing port scans. These guys believe that most attacks begin with scanning a host or network (duh). Their appliance will attempt to alert you to a particular threat by analysing various types of scans that are thrown against your network and then dynamically change configs if a certain criteria is met.

    Has anyone seen an appliance like the one I've read about? I forgot the name of it so I thought I'd mention it here to see if others have heard about this device. I wanted to use it in an example but I can't remember the name of it.

  8. #8
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    There is many way to scan a network (reading nmap manpage gives many datails!)

    Each type of scanning is based on a logical serie of data transmistted over the network for many of them there is an IDS ruleset you can define to detect such probes.

    You can have a look on the well known IDS SNORT ruleset available on snort.org
    ruleset
    [shadow] SHARING KNOWLEDGE[/shadow]

  9. #9
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    Hereby a link to a good withepaper on NMAP decoy uses & tracking:

    http://www.whitehats.com/library/nmap/index.html
    [shadow] SHARING KNOWLEDGE[/shadow]

  10. #10
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    Nmap is an excellent tool for scanning your own machine or networks for open ports, and to
    test to a limited extent your f/w ruleset. To do the above mentioned properly though there
    are other tools such as nessus amongst others. Or just craft your own packets and try and
    break your stack yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •