Nmap Development mailing list archives

RE: Finding real host in Nmap -D Scans

From: "Lampe, John W." <JWLAMPE () GAPAC com>
Date: Mon, 3 Mar 2003 11:55:05 -0500

just off the top of my head, if the Decoy hosts are live AND use simple incrementing IP IDs, then you could possibly 
use IP IDs to weed out decoys....

John

-----Original Message-----
From: Ryan [mailto:ryan () packetwatch net]
Sent: Sunday, March 02, 2003 7:25 PM
To: pen-test () securityfocus com; nmap-dev () insecure org
Cc: 'Fyodor'
Subject: Finding real host in Nmap -D Scans

Hi All,

I was wondering about the decoy scan in nmap.  Is there a way to tell
which host in a decoy scan is the real host?  I found a post by Dug Song
(http://www.geek-girl.com/ids/1999/0057.html), but these methods won't
work anymore.

First, as Dug Song said nmap now randomizes the ttl fields, and secondly
you can't narrow it down to a host that can run nmap, because nmap can
now be run on Windows systems as well.

Ryan Spangler
http://www.packetwatch.net

----------------------------------------------------------------------------
<Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box?
CORE IMPACT does.</Pre>
<A href="http://www.securityfocus.com/core";> http://www.securityfocus.com/core</A>

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

Finding real host in Nmap -D Scans Ryan (Mar 02)
- <Possible follow-ups>
- RE: Finding real host in Nmap -D Scans Kevin Hodle (Mar 03)
  - Re: Finding real host in Nmap -D Scans H D Moore (Mar 03)
  - Re: Finding real host in Nmap -D Scans Fyodor (Mar 03)
- RE: Finding real host in Nmap -D Scans Lampe, John W. (Mar 03)
  - RE: Finding real host in Nmap -D Scans Alexander Bartolich (Mar 04)