|
Nmap Development
mailing list archives
RE: Finding real host in Nmap -D Scans
From: "Lampe, John W." <JWLAMPE () GAPAC com>
Date: Mon, 3 Mar 2003 11:55:05 -0500
just off the top of my head, if the Decoy hosts are live AND use simple incrementing IP IDs, then you could possibly
use IP IDs to weed out decoys....
John
-----Original Message-----
From: Ryan [mailto:ryan () packetwatch net]
Sent: Sunday, March 02, 2003 7:25 PM
To: pen-test () securityfocus com; nmap-dev () insecure org
Cc: 'Fyodor'
Subject: Finding real host in Nmap -D Scans
Hi All,
I was wondering about the decoy scan in nmap. Is there a way to tell
which host in a decoy scan is the real host? I found a post by Dug Song
(http://www.geek-girl.com/ids/1999/0057.html), but these methods won't
work anymore.
First, as Dug Song said nmap now randomizes the ttl fields, and secondly
you can't narrow it down to a host that can run nmap, because nmap can
now be run on Windows systems as well.
Ryan Spangler
http://www.packetwatch.net
----------------------------------------------------------------------------
<Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box?
CORE IMPACT does.</Pre>
<A href="http://www.securityfocus.com/core";> http://www.securityfocus.com/core</A>
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
 By Date 
By Thread
Current thread:
|
Intro
