Greetings,

Something just hit my mind and I would like the responces of all the brave souls here. Nmap, as we all know, is a port scanner on the highest level. It does it's job well, from involving OS detection through window responce times, to scan timing inbetween ports. Respect aside, nmap is also a major give away to a serious network penetration tester. Allow me to explain, and then I shall ask my question:

1. Nmap detecting the OS by the window time frames sends a preconfigured package that is very commonly known by admins to be recognizable as nmap.

2. Nmap using Xmas method and quite a few other commonly used methods, in which it sends errored packages and reports the target's responce, is also preconfigured packages by nmap and once again commonly known by admins to be recognizable as nmap.

3. Take this packet information that identifies nmap directly, it has been placed into many IDS systems(even snort, if I remember) and thus when the silent scans, Xmas scan, is preformed that IDE might not pick up on the actual scan, but it has noticed and sniffed the incoming packets enough to recognize it as an nmap scan packet. Thus, the use of nmap has set off flags even if your scan timing got past the IDS, because it sent errored packages for detection that only nmap uses(anything else using it would break TCP/IP standards)


Please, correct me if I am wrong on any of the above. Now to my question: What other methods can be used to bypass a IDS? A good IDS detects port scans (even the best hackers can be detected, trust me) no matter the skill of the attacker, and now nmap specific errored packages that make it so useful. I'm not looking for an answer of "Scan slower" or "scan randomly" because an IDS can still catch that in action. Is there a way to hand craft packets to directly send preconfigured packets made by you each time to whatever port you desired? Is there such a program for Linux? For Windows? For OpenBSD?

Once we understand what else lies out there, we can begin to dig deeper into the land of security. Thank you for your time, and I look foward to the responces.

regards,
Pooh Sun Tzu