Home page logo

Nmap Announce mailing list archives

Re: fooling nmap
From: Vanja Hrustic <vanja () relaygroup com>
Date: Fri, 11 Feb 2000 17:21:24 +0700

Bep Verberk wrote:
BTW, anyone working on an ID  tool that fingerprints nmap ?  Something that
would identify an nmap scan, the type of scan, the version of nmap, the OS the
scan was run from, etc.

Well, snort can recognize nMap scans (and if you use portscan
preprocessor, it will recognize much more), but to identify nMap version
and OS... hmmm... I doubt that you can easily do it. To recognize nMap
version, one would need to know if Fyodor has changed things (related to
scanning itself, like packet load, etc.) in certain versions of nMap -
Fyodor might help with this. But to recognize OS, one would need to do
an nMap scan against the scanning host :) And that topic always brings a
thread that talks about 'legality' of counter-scan, etc, etc :)

Snort is available at http://www.clark.net/~roesch/security.html

Check it (if you haven't already) - it's *lovely* :))) 

IPLog can also recognize nMap scans, and OS fingerprinting. IPlog will
start sending bogus packets back to the scanning host when it encounters
OS fingerprinting, and it is supposed to do the same when it encounters
SYN scans (didn't work for me). I've tried the OS fingerprinting
'fooling' - works very well :)

IPLog is available at http://ojnk.sourceforge.net/


Vanja Hrustic
The Relay Group
Technology Ahead of Time

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]