I think the point here is how to avoid the IDS. If your computer tries to connect to every single port in the TCP/IP specs, then I'm sure there is a good chance that someone would notice it. How many services do you know that legitimately use anything above port 2000 or so for public access?


So obviously, scanning stuff that has no real application or use in a common network will be noticed. An example of this would be searching for home-made freshly baked chocolate-chip cookies. If your mom puts them in a cookie jar, and your friends put them in cookie jars, would you go trample in your neighbors flower garden searching for cookies if you cought a wiff of them floating down the street? No, you'd find their cookie jar.

This cookie jar is a legitimate service, it is pretty standardized that you put cookies in them. But since everyone puts cookies in a cookie jar, then if you know where their cookie jars are you could hypothetically steal their cookie jars. So, they watch their cookie jars, right? Of course! But there are of course some weird neighbors who would put their cookies in the refrigrator.

So how does this apply to computers? I hope I'm not veering off-topic here...

The cookie jar could be the FTP, HTTP, SSH, TELNET, etc services. It is a service that provides content/data/privilages (cookies). If you have a cookie jar, you are assumed to provide the cookie service, so you will see traffic (kids coming to get cookies when they smell you cooking). Let's face it, there is a lot of kids who want cookies, and in computers a lot of traffic. How do you find out if a kid is taking more cookies than he should? The IDS has to do this.

What if you have that weird neighbor who puts cookies in the refrigrator instead of the cookie jar? Obviously, if you didn't know he did that and you try to steal the cookie jar at night, you get no cookies. And the missing cookie jar shows that someone tried to steal his cookies. Like a honey pot. Do you honestly want to check everyone's refrigrator if you decide to go on a night time cookie raid? It is risky, and the cookie could of course be soggy since refrigrators do that, and all of that can be part of a Honeypot / IDS.


Back on topic, I hope...

The point is what is the best way to fingerprint a host without arrousing suspecion? Obviously, it is best if you can get insider information, ie watching that neighbor hide the cookies. But the purpose here is that you don't, and how do you avoid doing what everyone else does so you can get the cookie? Do you really want to risk searching the fridge for the cookies? Or do you just run in blind for that jar... And how can you do it the different way (not use nmap), just barely get by the IDS, and get your cookie and get the heck out of town?

I don't know how to do this, but I think that pooh sun tzu may be one of the people who may think up other ways of solving the situation to get by. Perhaps my analogy helps throw a new light on the situation, perhaps it doesn't, but with how much time I spend writing it (instead of other homework) I'm posting. IMHO, the best way to get by would be with a rare 0-day exploit, even though it is possible to protect against some of these even before they are discovered if the right filtering is done on all of the data; a sort of pranoid "Don't trust input!" security system that will get anyone who tries...and then there is finding the 0-day in the first place...