1 / 8

NMAP

NMAP. ANA MARIA CHANABA ROBERT HUYLO. HOW TO HIDE IP ADDRESS. Decoy scanning can be used to effectively confuse the intended target.

iokina
Download Presentation

NMAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NMAP • ANA MARIA CHANABA • ROBERT HUYLO

  2. HOW TO HIDE IP ADDRESS • Decoy scanning can be used to effectively confuse the intended target. • Basically you are sending spoofed packets with a fake source address along with your original address hoping to make it harder to find out exactly who is scanning them. • nmap -sS -D ( IP address of multiple host) • nmap sends four packets each from a different source address.

  3. DECOYS • What is the point of sending four TCP SYN packets? • The reason is to hide the real IP address in a mass of foreign addresses. Making it more difficult to detect the real attacker. • Another thing to note is the more decoys the slower the scan.

  4. DECOY • The decoy address will be receiving either RESET ICMP Port Unreachable if the port is closed and SYN ACK packets if the port is open. • When the host name is specified, the real IP will show up on the DNS server of the decoy. • This technique requires an attacker to send some packets to the target from her real IP address. On the other hand, Idle scan does not send any packets.

  5. DECOY: NMAP AND SNORT TWO SIDES OF THE SAME COIN • Nmap is a port scanner, which can search a target computer for open ports, and thus for potential security loopholes. • Snort’s task is to counteract nmap. Snort is a daemon which scans through a network for suspect packages and logs them. • IP might set of more warnings in snort than the decoys. • The real attackers IP in a decoy scan always shows up first in the snort alert log.

  6. IP’S SHOW UP IN A SNORT LOG • SENT (0.0060s) ICMP 192.168.0.4 > 192.168.0.3 Echo request (type=8/code=0) ttl=42 id=2717 iplen=28SENT (0.0070s) ICMP 192.168.0.7 > 192.168.0.3 Echo request (type=8/code=0) ttl=58 id=27663 iplen=28SENT (0.0070s) ICMP 192.168.0.1 > 192.168.0.3 Echo request (type=8/code=0) ttl=41 id=3618 iplen=28RCVD (0.0070s) ICMP 192.168.0.3 > 192.168.0.4 Echo reply (type=0/code=0) ttl=64 id=37318 iplen=28 • [**] [1:469:1] ICMP PING NMAP [**][Classification: Attempted Information Leak] [Priority: 2]07/23-18:46:13.256183 192.168.0.4 -> 192.168.0.3ICMP TTL:42 TOS:0x0 ID:2717 IpLen:20 DgmLen:28Type:8 Code:0 ID:53476 Seq:52818 ECHO[Xref => http://www.whitehats.com/info/IDS162][**] [1:469:1] ICMP PING NMAP [**][Classification: Attempted Information Leak] [Priority: 2]07/23-18:46:13.256190 192.168.0.7 -> 192.168.0.3ICMP TTL:58 TOS:0x0 ID:27663 IpLen:20 DgmLen:28Type:8 Code:0 ID:53476 Seq:52818 ECHO[Xref => http://www.whitehats.com/info/IDS162]

  7. -sI Idlescan • Completely “blind” scanning - no packets are sent to target from machine running nmap • Uses another host (“zombie”), to bounce packets to target • Can reveal IP-based trust relationships

More Related