Earlier I wrote a post on an ethical view of nmap. Today I’ve had a few adult beverages and I thought it would be fun to give a little insight into an unethical use. I am not the first to say this, and will not be the last .. but nmap is just freakin cool and so,so useful. In this post we shall cover some of the more interesting IDS decoy and evasion methods available in nmap.

Are you ready to nerd it up?

When you want to get your scan on and really want to confuse the target, nmap provides some really nice options in this area. First and foremost, we need to look at the -f option. This is for packet fragmentation, it breaks up each packet by a factor of 8 after the IP header. An example of this: a 20-byte IP header would be split into three packets. Two with eight bytes of the IP header, and one with the final four. I like to use -ff which fragments by a factor of 16, however some OSes freak out when they experience really small fragmented packets, if you have trouble or just want to try it, use the --send-eth option to bypass the IP layer and send raw ethernet frames.

The next option worth looking at, is -D. This by far is one of the coolest evasion techniques available in nmap. The point of -D is to make the target believe they are being scanned by many hosts, not just you. The format is as such -D <host 1>,<host 2>,<host 3> .. etc. To make it simple you should use about six decoy hosts, that you know are up and active, or else you run the risk of SYN flooding the target. By using six decoy hosts before your host (ME), you stand a good chance of your real host totally evading some scanloggers (say maybe .. scanlogd). You can have some real fun with this option if you think about it.

One of the more the advanced options that can be used for IDS evasion, we will look at is --scanflags . The --scanflags option allows you to specify your own TCP flags. --scanflags accepts any combination of URG, ACK, PSH, RST, SYN, and FIN. Using --scanflags <options> tells nmap how to react to results it gets back from a target host. --scanflags is best used with one of the base scan types, else it defaults to SYN results.

Another lesser known but highly useful option you might want to look at is --fuzzy. If nmap is having trouble making an accurate OS match, --fuzzy will cause nmap to return near-matches and it’s confidence level in those. While this may not help every time, it can prove useful.

Example showing some of the techniques I have covered:

sudo nmap -ff -D 64.233.187.99,66.94.234.13,63.161.169.137,204.94.97.210,216.113.188.34,ME --scanflags FINPSHSYN --send-eth -n -vv -A -O2 --fuzzy -sF 192.168.1.6

What does that look like to the target? Like a they are getting the crap scanned out of them by google, yahoo, whitehouse.gov, goarmy.com, paypal.com and your host. I put together the nmap scan results (txt / xml) as well as a pcap (3.4MB) of the scan. As you can see from looking at the pcap traffic, it without a doubt appears to be a scan from all those hosts (nslook them up if you still don’t believe me), except you are the only one getting the results. If the target is even looking ….

This entry was posted on Thursday, September 6th, 2007 at 11:16 pm and is filed under geek stuff, nmap. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.