Defeating NMAP scans - Security

This is a discussion on Defeating NMAP scans - Security ; Hi everybody, Is there any way to distinguish the probe packets sent by NMAP and the normal communication packets..??? Also can we modify the responses to the nmap probes so that it could not recognise the remote OS and the ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Defeating NMAP scans

  1. Defeating NMAP scans

    Hi everybody,
    Is there any way to distinguish the probe packets
    sent by NMAP and the normal communication packets..??? Also can we
    modify the responses to the nmap probes so that it could not recognise
    the remote OS and the services??? By default,NMAP probes the remote
    machine by sending some packets in specfic order. Can anybody clue me
    the order in which the type of scans that NMAP does ??


  2. Re: Defeating NMAP scans

    Sunny wrote:

    > Is there any way to distinguish the probe packets
    > sent by NMAP and the normal communication packets..?


    I doubt it. Fyodor has an excellent track record for making nmap's
    "stealth" scans be in practice impossible to distinguish from Internet
    background noise.

    If I may be so bold: Maybe it'd be more fruitful just to assume that
    the bad guys are able to portscan you, take that fact for granted, and
    do your security planning accordingly? That approach Works for Me.

    --
    Cheers, Katrina's Law: Any sufficiently advanced incompetence
    Rick Moen is indistinguishable from malice.
    rick@linuxmafia.com (coinage attrib. to Paul Ciszek)

  3. Re: Defeating NMAP scans

    Hello Sunny,


    "Sunny" (06-01-24 11:05:13):

    > Is there any way to distinguish the probe packets
    > sent by NMAP and the normal communication packets..??? Also can we
    > modify the responses to the nmap probes so that it could not recognise
    > the remote OS and the services??? By default,NMAP probes the remote
    > machine by sending some packets in specfic order. Can anybody clue me
    > the order in which the type of scans that NMAP does ??


    Rick is just right. However, you _could_ distinguish nmap's packets by
    some heuristics like SYN rate, but this may lead to false positives
    (even very often). You might be interested in grsecurity [1], a kernel
    patch. It makes OS detection more difficult for nmap. For me it
    reports a wrong OS, but it still detects it being Linux.

    As Rick said, just let port scans remain possible. Hiding your OS is no
    real gain in security. Instead, configure your system properly and keep
    it up to date.

    Regards.


    ---

    [1] http://www.grsecurity.net/

  4. Re: Defeating NMAP scans

    Sunny wrote:
    > Is there any way to distinguish the probe packets
    > sent by NMAP and the normal communication packets..??? Also can we
    > modify the responses to the nmap probes so that it could not recognise
    > the remote OS and the services???


    A quick google (keywords "nmap fingerprint fake result")
    could have picked out the answers to these questions. See
    http://www.attackprevention.com/article/430 for just some options.

    Chris

+ Reply to Thread