Re: New Nmap options for IDS interaction

[David Fifield <david () bamsoftware com>]

On Sun, Feb 28, 2010 at 09:03:58PM +0100, Theo Dzierzbicki wrote:
> Hi everyone,
>
> I send this mail to ask for comments about some ideas I had about adding new
> nmap timing options for IDSs.
>
> I am following this list for about two months now ( but this is my first
> post ), and I've read "Nmap Network Scanning". One thing that annoyed me was
> the recommended approach about IDS evasion (Chapter 10.5 : "Subverting
> IDSs").
> Having to use a shell script to restart Nmap for each host you want to port
> scan. Maybe some options should be implemented to address this situation.
>
> o New options ideas :
>
> So basically if I understood well, the way packets should be sent to avoid
> detection by an IDS is something like :
> - Send no more than X packets in a time t1
> - Then wait at least until t2 before sending anything again.
>
> An ASCII scheme to sum up a bit ( you will probably have to copypaste it in
> a terminal to actually see something ) :
>
> |----|----|----|----|----|-----------------|----|----|----|----|----|-----
> ...
>
> |_t0_|
> |___________t1___________|
>                          |________t2_______|
>
>
> Anyway :
>  t0 => delay between each packet ( --scan-delay )
>  t1 => time lapse in which to send packets
>  t2 => delay before we can send packets again
>  X  => number of packets to send per iteration
>
> Simply put, three valid combinations of options :
> - A number of packets X per interval t1, and delay t2 (--scan-delay t0
> implied)
> - A delay between packets t0, a time to send them t1, a delay t2 ( X number
> of
> packets implied )
> - A number of packets X to send with a delay t0 between them, then wait for
> delay t2 ( t1 to send packets implied )

Can you mock up some command lines showing how the new options would be
used? I think that would help me understand your proposal.

> o Miscellaneous questions :
>
> - From what I've read in the HACKING file, and what I've seen on the
> list, it seems the right place to ask questions about technical points
> / feature development is precisely the list. Correct ?

Yes, that's right.

> - If the idea is welcomed, maybe please a pointer to get me started with the
> implementation ? I would do it gladly but I'm a newbie with the codebase
> ( Subliminal message : for now. The GSoC is near :) ... )

Look in the file scan_engine.cc. The structs ultra_timing_vals,
send_delay_nfo, and rate_limit_detection_nfo control most timing. Search
for variables with those types and see where they are used an modified.
ultrascan_adjust_timing is noteworthy.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/