Defeating NMAP scans

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi everybody,
                  Is there any way to distinguish the probe packets
sent by NMAP and the normal communication packets..??? Also can we
modify the responses to the nmap probes so that it could not recognise
the remote OS and the services???  By default,NMAP probes the remote
machine by sending some packets in specfic order. Can anybody clue me
the order in which the type of scans that NMAP does ??

Re: Defeating NMAP scans

Quoted text here. Click to load it

I doubt it.  Fyodor has an excellent track record for making nmap's
"stealth" scans be in practice impossible to distinguish from Internet
background noise.

If I may be so bold:  Maybe it'd be more fruitful just to assume that
the bad guys are able to portscan you, take that fact for granted, and
do your security planning accordingly?  That approach Works for Me<tm>.

Cheers,                 Katrina's Law:  Any sufficiently advanced incompetence
Rick Moen               is indistinguishable from malice.                           (coinage attrib. to Paul Ciszek)

Re: Defeating NMAP scans

Hello Sunny,

Quoted text here. Click to load it

Rick is just right.  However, you _could_ distinguish nmap's packets by
some heuristics like SYN rate, but this may lead to false positives
(even very often).  You might be interested in grsecurity [1], a kernel
patch.  It makes OS detection more difficult for nmap.  For me it
reports a wrong OS, but it still detects it being Linux.

As Rick said, just let port scans remain possible.  Hiding your OS is no
real gain in security.  Instead, configure your system properly and keep
it up to date.



[1] /

Re: Defeating NMAP scans

Quoted text here. Click to load it

A quick google (keywords "nmap fingerprint fake result")
could have picked out the answers to these questions. See for just some options.


Site Timeline