mailing list archives
Re: distributed nmap?
From: "Frasnelli, Dan" <dfrasnel () corewar com>
Date: Sun, 19 Mar 2000 16:05:55 -0800 (PST)
That sounds like a great idea, but it could backfire on Fyodor.
The distributed method sounds alot like the DDoS tools that have
gotten so much publicity. Many people who do not understand nmap
may consider this new feature a threat.
Done properly, it would not have to appear as such.
For example.. a common tactic I use when probing a network
is to open a few xterms with sessions on 3-4 boxes not in
the same netblock. Each host has an nmap session queued up;
each session has only a couple ports to scan.
So on one, I might have 'nmap -sS -P0 -p 22,79 [ip]',
the other might have 'nmap -sS -P0 -p 113,139 [ip]', etc. which
are cron'd to run an hour or more apart. Most nids do not offer
trend analysis over that timespan (and with a major service
provider with thousands of hits per second, this is impractical),
so the scan slips under the wire.
Covert network discovery is largely a directed search - scans are done
for a limited set of services. Script kiddies or someone doing a
complete audit tend to scan the full range of ports.. more detectable
and depending on the number of hosts involved, a 'distributed attack'.
A slick distributed method could be useful.. but the implications of
being like a ddos depends on the operator.
Re: distributed nmap? Ripclaw (Mar 19)
Re: distributed nmap? Simple Nomad (Mar 21)