Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Fundumental Questions about NMAP
From: sgarcia <sgarcia () citefa gov ar>
Date: Tue, 5 Sep 2006 11:35:23 -0300

Hash: SHA1

On Monday 04 September 2006 10:50, Andreas Ericsson wrote:
uday kumar kunta wrote:
Dear Sir,

 Can you please clarify my simple questions....
1.how can we block the nmap scans across the network?

Use an adaptive firewall that recognizes and auto-blocks hosts that
portscans. I have no idea of where to find one, which ones are good, or
if it's worth bothering with.

Some, i hope usefull, ideas:

Being able to block, first means being able to detect, so:

- - p0f used to detect nmap traffic. (You can see an example output of p0f
  detecting nmap here: http://www.sans.org/resources/idfaq/p0f.php)
  "P0f is included with many distros, integrated into OpenBSD, amavisd,
  milter, and so on."

The problem is... that last p0f (2.0.7) still can't detect nmap4.11 nor 

- - snort can detect nmap traffic. (And try to block it)

Snort detection examples using 'nmap -sS -A -F -n -v yy.yy.yy.yy':

09/05-11:06:26.993324  [**] [122:3:0] (portscan) TCP Portsweep [**] {PROTO255} 
xx.xx.xx.xx -> yy.yy.yy.yy
09/05-11:06:26.993324  [**] [122:1:0] (portscan) TCP Portscan [**] {PROTO255} 
xx.xx.xx.xx -> yy.yy.yy.yy
09/05-11:07:23.493990  [**] [1:1228:7] SCAN nmap XMAS [**] [Classification: 
Attempted Information Leak] [Priority: 2] {TCP} xx.xx.xx.xx:44805 -> 

There are MANY more portscaners detectors, look here:

Keep in mind there will always be false positives.

This text is from the book "Network Security 
Hacks", 'http://hacks.oreilly.com/pub/h/1347&apos;

"To thwart Nmap's efforts, we can employ firewall rules that block packets 
used for operating-system probes. These are fairly easy to spot, since 
several of them have invalid combinations of TCP flags. Some of the tests 
that Nmap performs cannot be blocked by PF by simply adding block rules, but 
they can be blocked if stateful filtering and a default deny policy have been 
implemented in the ruleset. This is because some of the tests make use of TCP 
options, which cannot be filtered with PF.

To block these fingerprinting attempts with OpenBSD's PF, we can put rules 
similar to these in our /etc/pf.conf:
set block-policy  return

block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF

This also has the side effect of logging any attempts to the pflog0 interface. 
Even if we can't block all of Nmap's tests, we can at least log some of the 
more unique attempts, and possibly confuse it by providing an incomplete 
picture of our operating system's TCP stack behavior."



2.Which port is used when nmap run?

All of them. That's sort of the idea with a network probing program.

- -- 
Ing. Sebastián García
San Juan B. de La Salle 4397
B1603ALO Villa Martelli - Pcia. Bs. As.
Tel: (54-11) 4709-8285
e-mail: sgarcia () citefa gov ar - www.citefa.gov.ar/si6/
Version: GnuPG v1.4.5 (GNU/Linux)


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]