Newbie : NMAP decoy mode?

**Networker** · December 16th, 2002, 06:34 PM

Does any body knows about decoy mode in nmap, seems to be a bounce features or something?

[blur]HEBUS le troll des montagnes [/blur]

**Networker** · December 19th, 2002, 07:21 PM

3 choices about this thread for getting no responses:

1- Subject is for dumbs (I quite agree -> I'll delete it if possible)
2- Nobody care about decoy nmap option
3- Nobody knows about decoy nmap option

For the guys in 3- decoy allows to hide a valid scan probe into a storm (n probes with different source @ only one is the scanner's) => It's a way to try anonymous scan

**pr0letariat** · December 19th, 2002, 07:36 PM

Most Admin Security packages can detect almost any nmap scan… As far as an anonymous scan, how could one catch something like this? Are there any known methods to detect this sort of scan? I’ll look…

Also, another good question: What other scanners do hax0rs use? And how can they be detected? What software packages claim this?

. Causes a decoy scan to be performed which makes it
. appear to the remote host that the host(s) you
. specify as decoys are scanning the target network
. too. Thus their IDS might report 5-10 port scans
. from unique IP addresses, but they won't know which
. IP was scanning them and which were innocent
. decoys. While this can be defeated through router
. path tracing, response-dropping, and other "active"
. mechanisms, it is generally an extremely effective
. technique for hiding your IP address.

http://www.linuxkurser.nu/manpage.html

***Tiger Shark*** · December 19th, 2002, 08:52 PM

The decoy scan is _entirely_ reliant on the time, money and determination of the attacked sysadmin. The decoy works by flooding with spoofed addresses and having the scanners own IP hidden in a large number of scans. Wanna find the source? Ping away and make note of the TTL returned. Look at the logs of the scans and determine which IP(s) match the number of hops. Ping not working? Use tracert instead..... It'll give you a good idea of the probable source even if it doesn't go all the way...... It also takes time.... but it could be scripted and logged.

So.... now we have a short list of sources...... Now let's say the destination, (scanned), network was the FBI....... Wanna guess how long and how much of your tax dollars they will spend since 9/11? I would think that anyone serious about attacking a deep pocketed, sensitive subject network would probably stay soooooo far away from a decoy scan that it would be frightening..... It's a lot like saying "here I am Mr. Gman... Come fetch me"......<LOL>

Now, of course, if you are going after "Cleetus' Online Butchery and Bait Shop" that he runs from his own outhouse he probably won't be bothered going through 1000 ping/tracert tests to see if he can find you........

***r3b00+*** · December 19th, 2002, 09:29 PM

Results for man nmap

NMAP(1) NMAP(1)

-D <decoy1 [,decoy2][,ME],...>
Causes a decoy scan to be performed which makes it
appear to the remote host that the host(s) you
specify as decoys are scanning the target network
too. Thus their IDS might report 5-10 port scans
from unique IP addresses, but they won't know which
IP was scanning them and which were innocent
decoys. While this can be defeated through router
path tracing, response-dropping, and other "active"
mechanisms, it is generally an extremely effective
technique for hiding your IP address.

Separate each decoy host with commas, and you can
optionally use 'ME' as one of the decoys to repre-
sent the position you want your IP address to be
used. If your put 'ME' in the 6th position or
later, some common port scan detectors (such as
Solar Designer's excellent scanlogd) are unlikeley
to show your IP address at all. If you don't use
'ME', nmap will put you in a random position.

Note that the hosts you use as decoys should be up
or you might accidently SYN flood your targets.
Also it will be pretty easy to determine which host
is scanning if only one is actually up on the net-
work. You might want to use IP addresses instead
of names (so the decoy networks don't see you in
their nameserver logs).

Also note that some (stupid) "port scan detectors"
will firewall/deny routing to hosts that attempt
port scans. Thus you might inadvertantly cause the
machine you scan to lose connectivity with the
decoy machines you are using. This could cause the
target machines major problems if the decoy is,
say, its internet gateway or even "localhost".
Thus you might want to be careful of this option.
The real moral of the story is that detectors of
spoofable port scans should not take action against
the machine that seems like it is port scanning
them. It could just be a decoy!

Decoys are used both in the initial ping scan
(using ICMP, SYN, ACK, or whatever) and during the
actual port scanning phase. Decoys are also used
during remote OS detection ( -O ).

It is worth noting that using too many decoys may
slow your scan and potentially even make it less
accurate. Also, some ISPs will filter out your
spoofed packets, although many (currently most) do
not restrict spoofed IP packets at all.

Is that what youre looking for?

**don** · January 5th, 2003, 02:44 AM

I agree with Tiger Shark. I do network security for a large network. I personally could not care
less about spoofed addy's and the such during a network scan. Who cares!!! It is only a scan.
When I start seeing hacks flying across to my network then I start to pay attention. Then I do
a pull on the ip for the entire day and or week ;-)

***thehorse13*** · January 9th, 2003, 04:02 PM

(A little off the subject but.....)

I read an interesting article a while back about a group of guys who are actively testing a new "IDS" system. The premise of this device is to identify (through "smart" filtering) potential real threats by analysing port scans. These guys believe that most attacks begin with scanning a host or network (duh). Their appliance will attempt to alert you to a particular threat by analysing various types of scans that are thrown against your network and then dynamically change configs if a certain criteria is met.

Has anyone seen an appliance like the one I've read about? I forgot the name of it so I thought I'd mention it here to see if others have heard about this device. I wanted to use it in an example but I can't remember the name of it.

**Networker** · January 9th, 2003, 05:18 PM

There is many way to scan a network (reading nmap manpage gives many datails!)

Each type of scanning is based on a logical serie of data transmistted over the network for many of them there is an IDS ruleset you can define to detect such probes.

You can have a look on the well known IDS SNORT ruleset available on snort.org
ruleset

**Networker** · January 10th, 2003, 05:40 PM

Hereby a link to a good withepaper on NMAP decoy uses & tracking:

http://www.whitehats.com/library/nmap/index.html

**don** · January 10th, 2003, 06:24 PM

Nmap is an excellent tool for scanning your own machine or networks for open ports, and to
test to a limited extent your f/w ruleset. To do the above mentioned properly though there
are other tools such as nessus amongst others. Or just craft your own packets and try and
break your stack yourself.

Thread: Newbie : NMAP decoy mode?

Thread Tools

Display

Newbie : NMAP decoy mode?

Posting Permissions