NMAP 3.48 Tutorial - Lesson 4 - Stealth Scans - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: NMAP 3.48 Tutorial - Lesson 4 - Stealth Scans

  1. #11
    Junior Member
    Join Date
    Nov 2003
    Posts
    29
    Wow, that was a great tutorial! I learned a lot from that.

    -Ben
    There are sports cars. Then there\'s the Z.
    240Z 260Z 280Z 280ZX 300ZX 350Z

  2. #12
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    quote:
    220 Crack House - Da Masta Gangstaz
    Login credentials accepted by ftp server!


    HEY, Hoss..... Leave my bloody servers alone..... DAMMIT......

    Nice work..... Where do you want me to put your toys?
    LOL, Tiger, I had no idea you were a "Masta Gangsta" too.

    Actually, we use names like that in proof-of-concept demonstrations. Using colorful names like that seem to get non technical managers a little more interested when we create the image of the mean evil haxor. All I can tell ya is that it works in getting them interested and that's why we name our lab boxes in such ways. Of course my home FTP server is named, "Icy Hot Stunta" .
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #13
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    For anyone who is interested, the Ricoh Aficio 1075 departmental all in one printer has an anonymous FTP service running that will allow you to bounce NMAP (see the tut) scans off of it. I found this while doing an audit on the product. Needless to say, this POS will not be getting near an RJ45 jack in our facility. It also has a large list of other issues but this is the only one that is associated with this tut.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #14
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    hey,

    I was playing around with this and found something rather interesting. MsMittens suggested I'd post it here.
    OK, two friends of mine were willing to take each a seperate scan and look in their IDS or firewall, to see the what IDS's would see.
    The guy with the firewall/router saw only the scan coming of the zombie, which is good. The guy with the IDS saw the nmap scan coming with three different zombies. He logged my origin ip.

    This is my output :

    I used on both at least one same working bounce target.

    root@Furious shrekkie # nmap -v -P0 -sI A.B.C.D *.*.*.*

    Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-01-07 20:27 Local time zone must be set--see zic manual page
    Host target.com (*.*.*.*) appears to be up ... good.
    Idlescan using zombie A.B.C.D (A.B.C.D:80); Class: Incremental
    Initiating Idlescan against target.com (*.*.*.*)
    All 1657 scanned ports on target.com (*.*.*.*) are: closed

    Nmap run completed -- 1 IP address (1 host up) scanned in 79.691 seconds
    OK, as you can see the nmap run finished succesfully. Are even these idlescans rafled by IDS's these days ? Obviously the firewall was fooled.
    Also note that the primary objective was not to find open ports here, only to see how the firewall/IDS would act.

    Here an example of the IDS log :

    [06/Jan/2004 20:22:21] "Ids" action = permitted, raddr = MY.ORIGIN.IP.HERE , msg = '"Port scan has been detected"', url = '', direc = in, class = 'network-scan', priority = portscan
    Greetz,
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  5. #15
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yes, the idle scan technique is *verrry* effective which makes it that much more dangerous.

    Would this be the experiment you IMed me about Shrekkie?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #16
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    thehorse13,

    No, I did two different myself today. I can't understand how the IDS picked it up tho.

    Greetz,
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •