Nmap Development: RE: Finding real host in Nmap -D Scans

["Kevin Hodle" <kevinh () aos5 com>]

With most broadband providers, this is an obsolete method of port
scanning.  Broadband companies like comca$t have very strict egress
filters, and also 'ip verify reverse-path' on a cisco PIX (stateful)
will eliminate the possibility of decoy scans being run against machines
behind the PIX.  Edge routers can also be configured in a similar
fashion to accommodate external/DMZ machines like IDS's (witch should be
running a stealth interface anyway.)

 
Kevin Hodle
CCNA, Network+, A+
Alexander Open Systems
Network Operations Center
kevinh () aos5 com


-----Original Message-----
From: Ryan [mailto:ryan () packetwatch net] 
Sent: Sunday, March 02, 2003 6:25 PM
To: pen-test () securityfocus com; nmap-dev () insecure org
Cc: 'Fyodor'
Subject: Finding real host in Nmap -D Scans


Hi All,

I was wondering about the decoy scan in nmap.  Is there a way to tell
which host in a decoy scan is the real host?  I found a post by Dug Song
(http://www.geek-girl.com/ids/1999/0057.html), but these methods won't
work anymore.

First, as Dug Song said nmap now randomizes the ttl fields, and secondly
you can't narrow it down to a host that can run nmap, because nmap can
now be run on Windows systems as well.

Ryan Spangler
http://www.packetwatch.net


------------------------------------------------------------------------
----
<Pre>Do you know the base address of the Global Offset Table (GOT) on a
Solaris 8 box? CORE IMPACT does.</Pre> <A
href="http://www.securityfocus.com/core";>
http://www.securityfocus.com/core</A>


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).