Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: nmap is god... or is it? read on

  1. #1

    nmap is god... or is it? read on

    Greetings,

    Something just hit my mind and I would like the responces of all the brave souls here. Nmap, as we all know, is a port scanner on the highest level. It does it's job well, from involving OS detection through window responce times, to scan timing inbetween ports. Respect aside, nmap is also a major give away to a serious network penetration tester. Allow me to explain, and then I shall ask my question:

    1. Nmap detecting the OS by the window time frames sends a preconfigured package that is very commonly known by admins to be recognizable as nmap.

    2. Nmap using Xmas method and quite a few other commonly used methods, in which it sends errored packages and reports the target's responce, is also preconfigured packages by nmap and once again commonly known by admins to be recognizable as nmap.

    3. Take this packet information that identifies nmap directly, it has been placed into many IDS systems(even snort, if I remember) and thus when the silent scans, Xmas scan, is preformed that IDE might not pick up on the actual scan, but it has noticed and sniffed the incoming packets enough to recognize it as an nmap scan packet. Thus, the use of nmap has set off flags even if your scan timing got past the IDS, because it sent errored packages for detection that only nmap uses(anything else using it would break TCP/IP standards)


    Please, correct me if I am wrong on any of the above. Now to my question: What other methods can be used to bypass a IDS? A good IDS detects port scans (even the best hackers can be detected, trust me) no matter the skill of the attacker, and now nmap specific errored packages that make it so useful. I'm not looking for an answer of "Scan slower" or "scan randomly" because an IDS can still catch that in action. Is there a way to hand craft packets to directly send preconfigured packets made by you each time to whatever port you desired? Is there such a program for Linux? For Windows? For OpenBSD?

    Once we understand what else lies out there, we can begin to dig deeper into the land of security. Thank you for your time, and I look foward to the responces.

    regards,
    Pooh Sun Tzu

  2. #2
    There are a couple ways to get around an IDS that I can think of. I know you can DOS one, it also depends on what the IDS is monitoring on ways to get around it.

    I could talk more about this in Pm's.

    I am not sure about the Nmap, packets being recognized I wouldn't doubt it. Though I will say that there are a good percent of system admins that are basicly idiots. I mean that literally only get M$ updates. They don't do anything else.

    I also say that is a good reason to code your own Port Scanner.

    Hmm... Let me see, I might of heard of something that does something like that, if I have I would of placed it in my notebook for a later occasion.

  3. #3
    No, no. My point was missed. I know how to get around IDS systems, but it was more focused towards port scanning and port detection since nmap doesn't do the job. Thus, what other method is there to get past an IDS that involves port detection? Since scanning, timing, and detection methods period are dead IDS give aways when it comes to port scanning.

    Also, don't ever assume the admin is an idiot. One day that idiot may be a honeypot sitting for the first victim.

    Coding my own port Scanners won't do it, and that was my point above. Scanning period is detectable, and in specific the way the scans are preformed are detectable.

    Thoughts anyone?

  4. #4
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    If you add the (-f option) the scanner fragments the packets it sends during the port scan. By using the (-f option) you avoid detection by a majority of IDSs. As I'm sure you're aware nmap has 'several options' I use nmap on my Windows XP Professional box and my RedHat box works great.

  5. #5
    Sending -f is one of the major giveaways though. Most IDS's by default are meant to trigger when they receive a fragmented packet, and most firewalls are set to go off when they receive a fragmented packet, dropping it completely.

    Example, below on my firewall:
    (prenote, obviouslly this isn't my entire firewall settings, but that's my own information to keep)



    Nmap won't cut it, nor any other port scanner because they are IDS and firewall detectable to an entire degree. My origonal question, once again, was is there a way to hand craft packets and send them out by hand?

  6. #6
    Member
    Join Date
    Nov 2003
    Posts
    88
    There is no such thing as a "perfect" there is always going to be faults and ways around it, no matter what the subject is about (ie: OS's, firewalls, or even port scanning). I must agree with whizkid2300 about the fact that most admins are stupid even though this is a bit of a generalisation. There will always be the odd one out who is going to catch you, because where your week somebody else will be strong. Its how both hackers and admins depend on winning.
    -HDD

  7. #7
    Look, no one is answering my question, or seems to have read my posts.

    1. I don't care if admins are stupid. I am talking about myself, my network, and methods of getting past my IDS.

    2. I don't care if admins are stupid. If that is your tactic as a network penetration tester, I am sorry, but I would never hire you.

    3. This isn't about catching "hackers", it's about a possible way to hand craft your own packets to both A. Get by the IDS scanning timings and B. Get by the IDS' sniffer for errored and common packages (ie. nmap packets)

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    If you want to "hand craft packets" then look into something like hping2 .
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    Ah there we go! Thank you! I wasn't sure if hand crafted packets was possible or not. This will certainly help a lot in future penetration testing and prevention.

  10. #10
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    BTW: If you haven't figured it out yet, the docs are included in the tarball.

    There are also some papers located @ http://www.hping.org/papers.html

    Have phun playing!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •