NMAP: Decoy Analysis |
"NMAP
- Scan Analysis (v2)"
1999-04-05 |
Hello,
This page is for anyone who cares to see the details behind an NMAP scan with the -D decoy option set. Basically I hope to answer two questions:
NMAP appears to correctly spoof identical packets for every operation, sending an identical packet for each source address (your local system, and each of the decoys). My initial testing showed that only the local system sends RST's in response to successfully queried ports in a SYN scan. However, this behavior is correct. The local system should not send RST's on behalf of the other systems, because that is exactly what they are supposed to do. My test decoys (23.23.23.23 and 24.24.24.24) are not active hosts, and so would not generate the expected RST packets. Had I used responsive decoy hosts, the local system source address would be indistinguishable from the others.
FIN, NULL, XMAS, and UDP scans appear to work equally well with the -D decoy option.
Hope someone finds this remotely useful or interesting.
|
[audit ~]# nmap -sS -D23.23.23.23,ME,24.24.24.24 -p 80 www.example.com Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) ICMP Probe 19:44:00.294222 23.23.23.23 > www.example.com: icmp: echo request 19:44:00.304222 audit.example.com > www.example.com: icmp: echo request 19:44:00.304222 24.24.24.24 > www.example.com: icmp: echo request ACK Probe 19:44:00.314222 23.23.23.23.38159 > www.example.com.http: . ack 0 win 1024 19:44:00.314222 audit.example.com.38159 > www.example.com.http: . ack 0 win 1024 19:44:00.314222 24.24.24.24.38159 > www.example.com.http: . ack 0 win 1024 This response indicates a live host 19:44:00.324222 www.example.com.http > audit.example.com.38159: R 0:0(0) win 0 (DF) SYN scan 19:44:00.394222 23.23.23.23.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024 19:44:00.394222 audit.example.com.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024 19:44:00.404222 24.24.24.24.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024 SYN+ACK response means open port here. We RST appropriately. Note: If you use valid decoys they will RST as well. 19:44:00.424222 www.example.com.http > audit.example.com.38139: S 3305543706:3305543706(0) ack 1559207493 win 9112(DF) 19:44:00.424222 audit.example.com.38139 > www.example.com.http: R 1559207493:1559207493(0) win 0 Interesting ports on www.example.com (1.1.1.1): Port State Protocol Service 80 open tcp http Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
|
[audit ~]# nmap -sS -D23.23.23.23,ME,24.24.24.24 -O -p 80 www.example.com Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) ICMP Probe 19:29:55.854222 23.23.23.23 > www.example.com: icmp: echo request 19:29:55.864222 audit.example.com > www.example.com: icmp: echo request 19:29:55.864222 24.24.24.24 > www.example.com: icmp: echo request ACK Probe 19:29:55.864222 23.23.23.23.63836 > www.example.com.http: . ack 0 win 1024 19:29:55.874222 audit.example.com.63836 > www.example.com.http: . ack 0 win 1024 19:29:55.874222 24.24.24.24.63836 > www.example.com.http: . ack 0 win 1024 This response indicates a live host 19:29:55.884222 www.example.com.http > audit.example.com.63836: R 0:0(0) win 0 (DF) SYN scan 19:29:55.954222 23.23.23.23.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024 19:29:55.964222 audit.example.com.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024 19:29:55.964222 24.24.24.24.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024 SYN+ACK response means open port here. We RST appropriately. Note: If you use valid decoys they will RST as well. 19:29:55.974222 www.example.com.http > audit.example.com.63816: S 3191891171:3191891171(0) ack 1315816471 win 9112Thanks for reading, have fun!(DF) 19:29:55.974222 audit.example.com.63816 > www.example.com.http: R 1315816471:1315816471(0) win 0 OS Detection (Solaris shown) 19:29:55.984222 23.23.23.23.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024 19:29:55.984222 audit.example.com.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024 Sequencing number generatory exercise 19:29:57.184222 23.23.23.23.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024 19:29:57.204222 audit.example.com.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024 19:29:57.214222 www.example.com.http > audit.example.com.63817: S 3192528068:3192528068(0) ack 3812808643 win 911219:29:55.984222 24.24.24.24.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024 19:29:55.984222 23.23.23.23.63824 > www.example.com.http: . win 1024 19:29:55.984222 audit.example.com.63824 > www.example.com.http: . win 1024 19:29:55.984222 24.24.24.24.63824 > www.example.com.http: . win 1024 19:29:55.994222 23.23.23.23.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:55.994222 audit.example.com.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:55.994222 24.24.24.24.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:55.994222 23.23.23.23.63826 > www.example.com.http: . ack 0 win 1024 19:29:55.994222 www.example.com.http > audit.example.com.63823: S 3192034216:3192034216(0) ack 3812808642 win 8855 (DF) 19:29:55.994222 audit.example.com.63823 > www.example.com.http: R 3812808642:3812808642(0) win 0 19:29:56.004222 audit.example.com.63826 > www.example.com.http: . ack 0 win 1024 19:29:56.004222 24.24.24.24.63826 > www.example.com.http: . ack 0 win 1024 19:29:56.004222 23.23.23.23.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.004222 audit.example.com.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.004222 24.24.24.24.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.004222 23.23.23.23.63828 > www.example.com.34599: . ack 0 win 1024 19:29:56.014222 audit.example.com.63828 > www.example.com.34599: . ack 0 win 1024 19:29:56.014222 24.24.24.24.63828 > www.example.com.34599: . ack 0 win 1024 19:29:56.014222 23.23.23.23.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.014222 audit.example.com.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.014222 24.24.24.24.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.014222 23.23.23.23.63816 > www.example.com.34599: udp 300 19:29:56.014222 www.example.com.http > audit.example.com.63826: R 0:0(0) win 0 (DF) 19:29:56.024222 audit.example.com.63816 > www.example.com.34599: udp 300 19:29:56.024222 24.24.24.24.63816 > www.example.com.34599: udp 300 19:29:56.634222 23.23.23.23.63824 > www.example.com.http: . win 1024 19:29:56.644222 audit.example.com.63824 > www.example.com.http: . win 1024 19:29:56.644222 24.24.24.24.63824 > www.example.com.http: . win 1024 19:29:56.644222 23.23.23.23.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.644222 audit.example.com.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.644222 24.24.24.24.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.644222 23.23.23.23.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.644222 audit.example.com.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.654222 24.24.24.24.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 19:29:56.654222 23.23.23.23.63828 > www.example.com.34599: . ack 1 win 1024 19:29:56.654222 audit.example.com.63828 > www.example.com.34599: . ack 1 win 1024 19:29:56.654222 24.24.24.24.63828 > www.example.com.34599: . ack 1 win 1024 19:29:56.654222 23.23.23.23.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.654222 audit.example.com.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.654222 24.24.24.24.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 19:29:56.664222 23.23.23.23.63816 > www.example.com.34599: udp 300 19:29:56.664222 audit.example.com.63816 > www.example.com.34599: udp 300 19:29:56.664222 24.24.24.24.63816 > www.example.com.34599: udp 300 (DF) 19:29:57.214222 audit.example.com.63817 > www.example.com.http: R 3812808643:3812808643(0) win 0 19:29:57.224222 24.24.24.24.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024 19:29:57.244222 23.23.23.23.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024 19:29:57.264222 audit.example.com.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024 19:29:57.274222 www.example.com.http > audit.example.com.63818: S 3192724219:3192724219(0) ack 3812808644 win 9112 Interesting ports on www.example.com (1.1.1.1): Port State Protocol Service 80 open tcp http TCP Sequence Prediction: Class=random positive increments Difficulty=25258 (Worthy challenge) Remote operating system guess: Solaris 2.6 - 2.7 Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds(DF) 19:29:57.274222 audit.example.com.63818 > www.example.com.http: R 3812808644:3812808644(0) win 0 19:29:57.284222 24.24.24.24.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024 19:29:57.304222 23.23.23.23.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024 19:29:57.324222 audit.example.com.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024 19:29:57.334222 www.example.com.http > audit.example.com.63819: S 3192958008:3192958008(0) ack 3812808645 win 9112 (DF) 19:29:57.334222 audit.example.com.63819 > www.example.com.http: R 3812808645:3812808645(0) win 0 19:29:57.344222 24.24.24.24.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024 19:29:57.364222 23.23.23.23.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024 19:29:57.384222 audit.example.com.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024 19:29:57.394222 www.example.com.http > audit.example.com.63820: S 3193157286:3193157286(0) ack 3812808646 win 9112 (DF) 19:29:57.394222 audit.example.com.63820 > www.example.com.http: R 3812808646:3812808646(0) win 0 19:29:57.404222 24.24.24.24.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024 19:29:57.424222 23.23.23.23.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024 19:29:57.444222 audit.example.com.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024 19:29:57.454222 www.example.com.http > audit.example.com.63821: S 3193331920:3193331920(0) ack 3812808647 win 9112 (DF) 19:29:57.454222 audit.example.com.63821 > www.example.com.http: R 3812808647:3812808647(0) win 0 19:29:57.464222 24.24.24.24.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024 19:29:57.484222 23.23.23.23.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024 19:29:57.504222 audit.example.com.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024 19:29:57.514222 www.example.com.http > audit.example.com.63822: S 3193574611:3193574611(0) ack 3812808648 win 9112 (DF) 19:29:57.514222 audit.example.com.63822 > www.example.com.http: R 3812808648:3812808648(0) win 0 19:29:57.524222 24.24.24.24.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024