-
February 9th, 2004, 02:45 PM
#11
Only invisable to a degree......If you have a hardware IDS that can log connections at the data-link level, then you'll detect the scan. (Of course, aside from government agencies, who uses this type of ultra-paranoid capability?)
Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.
-
February 9th, 2004, 03:08 PM
#12
Well there are 3 main ways
1) Use some kind of "bounce" attack (already covered by slarty)
2) Do it very slowly, to the point where IDS will not trigger as for somthing to show up as a port scan X number for ports will have to be requested in X time, so if you below their threshold(sp?) it will not see it as a port scan.
3) while port scanning generate a large amount of scans with spoofed address. Therefore the person you are scanning can not work out who is scanning them. Think out reading a firewall/IDS log that says 1500 different people are portscanning you, how would you know which one is the real attacker?
But saying all of that nmap does all three
SittingDuck
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
-
February 9th, 2004, 03:40 PM
#13
Qod: P0f, while being a really nice little tool that I have constantly running outside my firewall, is not a port scanner, it's a passive fingerprinter. It relies upon you making a connection to me and then determining what you are. When, (more like _if_), you connect to me you will do it with a single source and a single destination port. That doesn't even tell me whether you are running a service on the source port since the source will be randomly chosen for the connection to my system unless you are using tools to "fix" that. The only info p0f puts out is it's best guess at your OS based on the info it received. The guess is based on knowledge of the various implementations of the IP stack used by different OS's.
57: You can't detect p0f since it makes no "noise". It's simply a packet sniffer with a signature database, (yes I'm aware it has a more active mode but that is an accuracy thing and really defeats the purpose of passive fingerprinting). So even the most technically advanced IDS logging connections at any level still wouldn't see it because p0f doesn't talk, it listens.
ramforu: Think of the concept behind port scanning. You want to know which ports are open and providing services on a remote box. Thus you have two choices. Be active and do something to determine which ports are open _or_ wait for the admin of the box to call you and tell you which services he provides. Since two just isn't going to happen you are left with 1 and the moment you go "active" I can detect you. Then it simply comes down to the level of efficiency you desire. If you are prepared to wait a week or two, (or more), then you can probably evade my detection, (NOTE: I said "evade my detection" not "be invisible" - my systems have still logged your presence - I just haven't seen you as significant - yet).
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 9th, 2004, 03:56 PM
#14
Member
when i read the subject line, i thought somebody was able to write an undetectable port scanner. hehe.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|