NMAP Decoy Analysis - Very detailed and informative case studies of NMAP Decoy scans.
11b78f67724b5908f12847fcce419ce568d92ab78da1bcab0bb613fa7b7faf00<title>NMAP Decoy Analysis (Max Vision)</title>
<body bgcolor="#FFFFFF" text="#000000">
<table width="100%" border="0">
<tr>
<td width="56%">
<div align="left"><font face="Arial, Helvetica, sans-serif" color="#000066">NMAP - Scan Analysis (v2)</font></div>
</td>
<td width="44%">
<div align="right"><font face="Arial, Helvetica, sans-serif" color="#000066">1999-04-05</font></div>
</td>
</tr>
</table>
<p><font face="Arial, Helvetica, sans-serif">Hello,</font></p>
<p><font face="Arial, Helvetica, sans-serif">This page is for anyone who cares
to see the details behind an NMAP scan with the -D decoy option set. Basically
I hope to answer two questions:</font></p>
<ul>
<li><font face="Arial, Helvetica, sans-serif">Does NMAP spoof every aspect of
the scan, including ICMP, ACK, and OS Identification? (<i>yes, beautifully if used properly</i>)</font></li>
<li><font face="Arial, Helvetica, sans-serif">Can you tell which host in a Decoy
Storm is the real host? (<i>no, if used properly</i>)</font></li>
</ul>
<p><font face="Arial, Helvetica, sans-serif">When I created a case study of these topics earlier today I used decoy hosts that were not responsive (nonexistent IP addresses). Fyodor quickly pointed out that this breaks one of the cardinal rules of decoy scanning. <i>The decoys must be alive</i>. :) </font></p>
<p><font face="Arial, Helvetica, sans-serif">NMAP
appears to correctly spoof identical packets for every operation, sending an identical packet for each source address (your local system, and each of the decoys). My initial testing showed that only the local system
sends RST's in response to successfully queried ports in a SYN scan. However, this behavior is correct. The local system <i>should not</i> send RST's on behalf of the other systems, because that is exactly what <i>they</i> are supposed to do. My test decoys (23.23.23.23 and 24.24.24.24) are not active hosts, and so would not generate the expected RST packets. Had I used responsive decoy hosts, the local system source address would be indistinguishable from the others.</font></p>
<p><font face="Arial, Helvetica, sans-serif">FIN,
NULL, XMAS, and UDP scans appear to work equally well with the -D decoy option.</font></p>
<p><font face="Arial, Helvetica, sans-serif">Hope someone finds this remotely useful
or interesting.</font></p>
<p><font face="Arial, Helvetica, sans-serif">Max Vision<br>
</font></p>
<p> </p>
<table border="0" cellspacing="2" bgcolor="#0000FF" >
<tr>
<td>
<table width="100%" border="0" bgcolor="#FFFFFF" cellpadding="6">
<tr>
<td><b><font face="Arial, Helvetica, sans-serif" size="4">Decoys, without
OS detection</font></b></td>
</tr>
</table>
</td>
</tr>
</table>
<pre>
[audit ~]# nmap -sS -D23.23.23.23,ME,24.24.24.24 -p 80 www.example.com
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
<b><i><font color="#0000FF">ICMP Probe</font></i></b>
19:44:00.294222 23.23.23.23 > www.example.com: icmp: echo request
19:44:00.304222 audit.example.com > www.example.com: icmp: echo request
19:44:00.304222 24.24.24.24 > www.example.com: icmp: echo request
<b><i><font color="#0000FF">ACK Probe</font></i></b>
19:44:00.314222 23.23.23.23.38159 > www.example.com.http: . ack 0 win 1024
19:44:00.314222 audit.example.com.38159 > www.example.com.http: . ack 0 win 1024
19:44:00.314222 24.24.24.24.38159 > www.example.com.http: . ack 0 win 1024
<b><i><font color="#0000FF">Hey we got a live one here!@#$</font></i></b>
19:44:00.324222 www.example.com.http > audit.example.com.38159: R 0:0(0) win 0 (DF)
<b><i><font color="#0000FF">SYN scan</font></i></b>
19:44:00.394222 23.23.23.23.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024
19:44:00.394222 audit.example.com.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024
19:44:00.404222 24.24.24.24.38139 > www.example.com.http: S 1559207492:1559207492(0) win 1024
<b><i><font color="#0000FF">SYN+ACK response means open port here. We RST appropriately.
Note: If you use valid decoys they will RST as well.</font></i></b>
19:44:00.424222 www.example.com.http > audit.example.com.38139: S 3305543706:3305543706(0) ack 1559207493 win 9112 <mss 536> (DF)
19:44:00.424222 audit.example.com.38139 > www.example.com.http: R 1559207493:1559207493(0) win 0
Interesting ports on www.example.com (1.1.1.1):
Port State Protocol Service
80 open tcp http
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
</pre>
<table border="0" cellspacing="2" bgcolor="#0000FF">
<tr>
<td>
<table width="100%" border="0" bgcolor="#FFFFFF" cellpadding="6">
<tr>
<td><b><font face="Arial, Helvetica, sans-serif" size="4">Decoys, OS
detection</font></b></td>
</tr>
</table>
</td>
</tr>
</table>
<pre>
[audit ~]# nmap -sS -D23.23.23.23,ME,24.24.24.24 -O -p 80 www.example.com
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
<b><i><font color="#0000FF">ICMP Probe</font></i></b>
19:29:55.854222 23.23.23.23 > www.example.com: icmp: echo request
19:29:55.864222 audit.example.com > www.example.com: icmp: echo request
19:29:55.864222 24.24.24.24 > www.example.com: icmp: echo request
<b><font color="#0000FF">ACK Probe</font>
</b>19:29:55.864222 23.23.23.23.63836 > www.example.com.http: . ack 0 win 1024
19:29:55.874222 audit.example.com.63836 > www.example.com.http: . ack 0 win 1024
19:29:55.874222 24.24.24.24.63836 > www.example.com.http: . ack 0 win 1024
<font color="#0000FF"><b><i>Wooop got your nose!@#$</i></b></font><i>
</i>19:29:55.884222 www.example.com.http > audit.example.com.63836: R 0:0(0) win 0 (DF)
<b><i><font color="#0000FF">SYN scan</font></i></b>
19:29:55.954222 23.23.23.23.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024
19:29:55.964222 audit.example.com.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024
19:29:55.964222 24.24.24.24.63816 > www.example.com.http: S 1315816470:1315816470(0) win 1024
<b><i><font color="#0000FF">SYN+ACK response means open port here. We RST appropriately.
Note: If you use valid decoys they will RST as well.</font></i></b>
19:29:55.974222 www.example.com.http > audit.example.com.63816: S 3191891171:3191891171(0) ack 1315816471 win 9112 <mss 536> (DF)
19:29:55.974222 audit.example.com.63816 > www.example.com.http: R 1315816471:1315816471(0) win 0
<font color="#0000FF"><b><i>OS Detection</i></b></font>
<font color="#990033">19:29:55.984222 23.23.23.23.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:55.984222 audit.example.com.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:55.984222 24.24.24.24.63823 > www.example.com.http: S 3812808641:3812808641(0) win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:55.984222 23.23.23.23.63824 > www.example.com.http: . win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:55.984222 audit.example.com.63824 > www.example.com.http: . win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:55.984222 24.24.24.24.63824 > www.example.com.http: . win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:55.994222 23.23.23.23.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:55.994222 audit.example.com.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:55.994222 24.24.24.24.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:55.994222 23.23.23.23.63826 > www.example.com.http: . ack 0 win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:55.994222 www.example.com.http ><nop,nop,timestamp 278826616 1061109567,nop,[|tcp]> audit.example.com.63823: S 3192034216:3192034216(0) ack 3812808642 win 8855 (DF)
19:29:55.994222 audit.example.com.63823 > www.example.com.http: R 3812808642:3812808642(0) win 0
19:29:56.004222 audit.example.com.63826 > www.example.com.http: . ack 0 win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.004222 24.24.24.24.63826 > www.example.com.http: . ack 0 win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.004222 23.23.23.23.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.004222 audit.example.com.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.004222 24.24.24.24.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.004222 23.23.23.23.63828 > www.example.com.34599: . ack 0 win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.014222 audit.example.com.63828 > www.example.com.34599: . ack 0 win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.014222 24.24.24.24.63828 > www.example.com.34599: . ack 0 win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.014222 23.23.23.23.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.014222 audit.example.com.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.014222 24.24.24.24.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.014222 23.23.23.23.63816 > www.example.com.34599: udp 300
19:29:56.014222 www.example.com.http > audit.example.com.63826: R 0:0(0) win 0 (DF)
19:29:56.024222 audit.example.com.63816 > www.example.com.34599: udp 300
19:29:56.024222 24.24.24.24.63816 > www.example.com.34599: udp 300
19:29:56.634222 23.23.23.23.63824 > www.example.com.http: . win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.644222 audit.example.com.63824 > www.example.com.http: . win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.644222 24.24.24.24.63824 > www.example.com.http: . win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.644222 23.23.23.23.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.644222 audit.example.com.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.644222 24.24.24.24.63825 > www.example.com.http: SFP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.644222 23.23.23.23.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.644222 audit.example.com.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.654222 24.24.24.24.63827 > www.example.com.34599: S 3812808641:3812808641(0) win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.654222 23.23.23.23.63828 > www.example.com.34599: . ack 1 win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.654222 audit.example.com.63828 > www.example.com.34599: . ack 1 win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.654222 24.24.24.24.63828 > www.example.com.34599: . ack 1 win 1024 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.654222 23.23.23.23.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.654222 audit.example.com.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.654222 24.24.24.24.63829 > www.example.com.34599: FP 3812808641:3812808641(0) win 1024 urg 0 <wscale 10nopmss 265timestamp 1061109567[tcp]>
19:29:56.664222 23.23.23.23.63816 > www.example.com.34599: udp 300
19:29:56.664222 audit.example.com.63816 > www.example.com.34599: udp 300
19:29:56.664222 24.24.24.24.63816 > www.example.com.34599: udp 300</font>
<font color="#0000FF"><i><b>Sequencing (hey with bsd TTCP and the Linux messup, who needs sequencing? :)
</b></i></font><font color="#990033">19:29:57.184222 23.23.23.23.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024
19:29:57.204222 audit.example.com.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024
19:29:57.214222 www.example.com.http > audit.example.com.63817: S 3192528068:3192528068(0) ack 3812808643 win 9112 <mss 536> (DF)
19:29:57.214222 audit.example.com.63817 > www.example.com.http: R 3812808643:3812808643(0) win 0
19:29:57.224222 24.24.24.24.63817 > www.example.com.http: S 3812808642:3812808642(0) win 1024
19:29:57.244222 23.23.23.23.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024
19:29:57.264222 audit.example.com.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024
19:29:57.274222 www.example.com.http > audit.example.com.63818: S 3192724219:3192724219(0) ack 3812808644 win 9112 <mss 536> (DF)
19:29:57.274222 audit.example.com.63818 > www.example.com.http: R 3812808644:3812808644(0) win 0
19:29:57.284222 24.24.24.24.63818 > www.example.com.http: S 3812808643:3812808643(0) win 1024
19:29:57.304222 23.23.23.23.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024
19:29:57.324222 audit.example.com.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024
19:29:57.334222 www.example.com.http > audit.example.com.63819: S 3192958008:3192958008(0) ack 3812808645 win 9112 <mss 536> (DF)
19:29:57.334222 audit.example.com.63819 > www.example.com.http: R 3812808645:3812808645(0) win 0
19:29:57.344222 24.24.24.24.63819 > www.example.com.http: S 3812808644:3812808644(0) win 1024
19:29:57.364222 23.23.23.23.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024
19:29:57.384222 audit.example.com.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024
19:29:57.394222 www.example.com.http > audit.example.com.63820: S 3193157286:3193157286(0) ack 3812808646 win 9112 <mss 536> (DF)
19:29:57.394222 audit.example.com.63820 > www.example.com.http: R 3812808646:3812808646(0) win 0
19:29:57.404222 24.24.24.24.63820 > www.example.com.http: S 3812808645:3812808645(0) win 1024
19:29:57.424222 23.23.23.23.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024
19:29:57.444222 audit.example.com.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024
19:29:57.454222 www.example.com.http > audit.example.com.63821: S 3193331920:3193331920(0) ack 3812808647 win 9112 <mss 536> (DF)
19:29:57.454222 audit.example.com.63821 > www.example.com.http: R 3812808647:3812808647(0) win 0
19:29:57.464222 24.24.24.24.63821 > www.example.com.http: S 3812808646:3812808646(0) win 1024
19:29:57.484222 23.23.23.23.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024
19:29:57.504222 audit.example.com.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024
19:29:57.514222 www.example.com.http > audit.example.com.63822: S 3193574611:3193574611(0) ack 3812808648 win 9112 <mss 536> (DF)
19:29:57.514222 audit.example.com.63822 > www.example.com.http: R 3812808648:3812808648(0) win 0
19:29:57.524222 24.24.24.24.63822 > www.example.com.http: S 3812808647:3812808647(0) win 1024
</font>
Interesting ports on www.example.com (1.1.1.1):
Port State Protocol Service
80 open tcp http
TCP Sequence Prediction: Class=random positive increments
Difficulty=25258 (Worthy challenge)
Remote operating system guess: Solaris 2.6 - 2.7
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
</pre>
<br>
<font face="Arial, Helvetica, sans-serif">Thanks for reading, have fun!</font>
<br><br>
[original url: http://www.whitehats.com/nmap/]
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed