"NMAP
- Scan Analysis (v2)"
1999-04-05 |
|
Hello,
This page is for anyone who
cares to see the details behind an NMAP scan with the -D decoy option set.
Basically I hope to answer two questions:
-
Does NMAP spoof every aspect
of the scan, including ICMP, ACK, and OS Identification? (yes, beautifully
if used properly)
-
Can you tell which host in a
Decoy Storm is the real host? (no, if used properly)
When I created a case study of
these topics earlier today I used decoy hosts that were not responsive
(nonexistent IP addresses). Fyodor quickly pointed out that this breaks
one of the cardinal rules of decoy scanning. The decoys must be alive.
:)
NMAP appears to correctly
spoof identical packets for every operation, sending an identical packet
for each source address (your local system, and each of the decoys). My
initial testing showed that only the local system sends RST's in response
to successfully queried ports in a SYN scan. However, this behavior is
correct. The local system should not send RST's on behalf of the
other systems, because that is exactly what they are supposed to
do. My test decoys (23.23.23.23 and 24.24.24.24) are not active hosts,
and so would not generate the expected RST packets. Had I used responsive
decoy hosts, the local system source address would be indistinguishable
from the others.
FIN, NULL, XMAS, and UDP scans
appear to work equally well with the -D decoy option.
Hope someone finds this remotely
useful or interesting.
-Max
Vision
| Decoys,
without OS detection |
|
[audit ~]# nmap -sS -D23.23.23.23,ME,24.24.24.24 -p 80 www.example.com
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
ICMP Probe
19:44:00.294222 23.23.23.23 > www.example.com: icmp: echo request
19:44:00.304222 audit.example.com > www.example.com: icmp: echo request
19:44:00.304222 24.24.24.24 > www.example.com: icmp: echo request
ACK Probe
19:44:00.314222 23.23.23.23.38159 > www.example.com.http: . ack 0 win 1024
19:44:00.314222 audit.example.com.38159 > www.example.com.http: . ack 0 win 1024
19:44:00.314222 24.24.24.24.38159 > www.example.com.http: . ack 0 win 1024
This response indicates a live host
19:44:00.324222 www.example.com.http > audit.example.com.38159: R 0:0(0) win 0 (DF)
SYN scan
19:44:00.394222 23.23.23.23.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024
19:44:00.394222 audit.example.com.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024
19:44:00.404222 24.24.24.24.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024
SYN+ACK response means open port here. We RST appropriately.
Note: If you use valid decoys they will RST as well.
19:44:00.424222 www.example.com.http > audit.example.com.38139: S 3305543706:3305543706(0) ack 1559207493 win 9112 (DF)
19:44:00.424222 audit.example.com.38139 > www.example.com.http: R 1559207493:1559207493(0) win 0
Interesting ports on www.example.com (1.1.1.1):
Port State Protocol Service
80 open tcp http
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
[audit ~]# nmap -sS -D23.23.23.23,ME,24.24.24.24 -O -p 80 www.example.com
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
ICMP Probe
19:29:55.854222 23.23.23.23 > www.example.com: icmp: echo request
19:29:55.864222 audit.example.com > www.example.com: icmp: echo request
19:29:55.864222 24.24.24.24 > www.example.com: icmp: echo request
ACK Probe
19:29:55.864222 23.23.23.23.63836 > www.example.com.http: . ack 0 win 1024
19:29:55.874222 audit.example.com.63836 > www.example.com.http: . ack 0 win 1024
19:29:55.874222 24.24.24.24.63836 > www.example.com.http: . ack 0 win 1024
This response indicates a live host
19:29:55.884222 www.example.com.http > audit.example.com.63836: R 0:0(0) win 0 (DF)
SYN scan
19:29:55.954222 23.23.23.23.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024
19:29:55.964222 audit.example.com.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024
19:29:55.964222 24.24.24.24.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024
SYN+ACK response means open port here. We RST appropriately.
Note: If you use valid decoys they will RST as well.
19:29:55.974222 www.example.com.http > audit.example.com.63816: S 3191891171:3191891171(0) ack 1315816471 win 9112 (DF)
19:29:55.974222 audit.example.com.63816 > www.example.com.http: R 1315816471:1315816471(0) win 0
OS Detection (Solaris shown)
19:29:55.984222 23.23.23.23.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024
19:29:55.984222 audit.example.com.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024
19:29:55.984222 24.24.24.24.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024
19:29:55.984222 23.23.23.23.63824 > www.example.com.http: . win 1024
19:29:55.984222 audit.example.com.63824 > www.example.com.http: . win 1024
19:29:55.984222 24.24.24.24.63824 > www.example.com.http: . win 1024
19:29:55.994222 23.23.23.23.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:55.994222 audit.example.com.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:55.994222 24.24.24.24.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:55.994222 23.23.23.23.63826 > www.example.com.http: . ack 0 win 1024
19:29:55.994222 www.example.com.http > audit.example.com.63823: S 3192034216:3192034216(0) ack 3812808642 win 8855 (DF)
19:29:55.994222 audit.example.com.63823 > www.example.com.http: R 3812808642:3812808642(0) win 0
19:29:56.004222 audit.example.com.63826 > www.example.com.http: . ack 0 win 1024
19:29:56.004222 24.24.24.24.63826 > www.example.com.http: . ack 0 win 1024
19:29:56.004222 23.23.23.23.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.004222 audit.example.com.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.004222 24.24.24.24.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.004222 23.23.23.23.63828 > www.example.com.34599: . ack 0 win 1024
19:29:56.014222 audit.example.com.63828 > www.example.com.34599: . ack 0 win 1024
19:29:56.014222 24.24.24.24.63828 > www.example.com.34599: . ack 0 win 1024
19:29:56.014222 23.23.23.23.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.014222 audit.example.com.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.014222 24.24.24.24.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.014222 23.23.23.23.63816 > www.example.com.34599: udp 300
19:29:56.014222 www.example.com.http > audit.example.com.63826: R 0:0(0) win 0 (DF)
19:29:56.024222 audit.example.com.63816 > www.example.com.34599: udp 300
19:29:56.024222 24.24.24.24.63816 > www.example.com.34599: udp 300
19:29:56.634222 23.23.23.23.63824 > www.example.com.http: . win 1024
19:29:56.644222 audit.example.com.63824 > www.example.com.http: . win 1024
19:29:56.644222 24.24.24.24.63824 > www.example.com.http: . win 1024
19:29:56.644222 23.23.23.23.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.644222 audit.example.com.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.644222 24.24.24.24.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.644222 23.23.23.23.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.644222 audit.example.com.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.654222 24.24.24.24.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024
19:29:56.654222 23.23.23.23.63828 > www.example.com.34599: . ack 1 win 1024
19:29:56.654222 audit.example.com.63828 > www.example.com.34599: . ack 1 win 1024
19:29:56.654222 24.24.24.24.63828 > www.example.com.34599: . ack 1 win 1024
19:29:56.654222 23.23.23.23.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.654222 audit.example.com.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.654222 24.24.24.24.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0
19:29:56.664222 23.23.23.23.63816 > www.example.com.34599: udp 300
19:29:56.664222 audit.example.com.63816 > www.example.com.34599: udp 300
19:29:56.664222 24.24.24.24.63816 > www.example.com.34599: udp 300
Sequencing number generatory exercise
19:29:57.184222 23.23.23.23.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024
19:29:57.204222 audit.example.com.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024
19:29:57.214222 www.example.com.http > audit.example.com.63817: S 3192528068:3192528068(0) ack 3812808643 win 9112 (DF)
19:29:57.214222 audit.example.com.63817 > www.example.com.http: R 3812808643:3812808643(0) win 0
19:29:57.224222 24.24.24.24.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024
19:29:57.244222 23.23.23.23.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024
19:29:57.264222 audit.example.com.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024
19:29:57.274222 www.example.com.http > audit.example.com.63818: S 3192724219:3192724219(0) ack 3812808644 win 9112 (DF)
19:29:57.274222 audit.example.com.63818 > www.example.com.http: R 3812808644:3812808644(0) win 0
19:29:57.284222 24.24.24.24.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024
19:29:57.304222 23.23.23.23.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024
19:29:57.324222 audit.example.com.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024
19:29:57.334222 www.example.com.http > audit.example.com.63819: S 3192958008:3192958008(0) ack 3812808645 win 9112 (DF)
19:29:57.334222 audit.example.com.63819 > www.example.com.http: R 3812808645:3812808645(0) win 0
19:29:57.344222 24.24.24.24.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024
19:29:57.364222 23.23.23.23.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024
19:29:57.384222 audit.example.com.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024
19:29:57.394222 www.example.com.http > audit.example.com.63820: S 3193157286:3193157286(0) ack 3812808646 win 9112 (DF)
19:29:57.394222 audit.example.com.63820 > www.example.com.http: R 3812808646:3812808646(0) win 0
19:29:57.404222 24.24.24.24.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024
19:29:57.424222 23.23.23.23.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024
19:29:57.444222 audit.example.com.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024
19:29:57.454222 www.example.com.http > audit.example.com.63821: S 3193331920:3193331920(0) ack 3812808647 win 9112 (DF)
19:29:57.454222 audit.example.com.63821 > www.example.com.http: R 3812808647:3812808647(0) win 0
19:29:57.464222 24.24.24.24.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024
19:29:57.484222 23.23.23.23.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024
19:29:57.504222 audit.example.com.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024
19:29:57.514222 www.example.com.http > audit.example.com.63822: S 3193574611:3193574611(0) ack 3812808648 win 9112 (DF)
19:29:57.514222 audit.example.com.63822 > www.example.com.http: R 3812808648:3812808648(0) win 0
19:29:57.524222 24.24.24.24.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024
Interesting ports on www.example.com (1.1.1.1):
Port State Protocol Service
80 open tcp http
TCP Sequence Prediction: Class=random positive increments
Difficulty=25258 (Worthy challenge)
Remote operating system guess: Solaris 2.6 - 2.7
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
Thanks for reading, have fun!