NMAP
Sponsored Links
This presentation is the property of its rightful owner.
1 / 8

NMAP PowerPoint PPT Presentation


  • 123 Views
  • Uploaded on
  • Presentation posted in: General

NMAP. ANA MARIA CHANABA ROBERT HUYLO. HOW TO HIDE IP ADDRESS. Decoy scanning can be used to effectively confuse the intended target.

Download Presentation

NMAP

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


NMAP

  • ANA MARIA CHANABA

  • ROBERT HUYLO


HOW TO HIDE IP ADDRESS

  • Decoy scanning can be used to effectively confuse the intended target.

  • Basically you are sending spoofed packets with a fake source address along with your original address hoping to make it harder to find out exactly who is scanning them.

  • nmap -sS -D ( IP address of multiple host)

  • nmap sends four packets each from a different source address.


DECOYS

  • What is the point of sending four TCP SYN packets?

  • The reason is to hide the real IP address in a mass of foreign addresses. Making it more difficult to detect the real attacker.

  • Another thing to note is the more decoys the slower the scan.


DECOY

  • The decoy address will be receiving either RESET ICMP Port Unreachable if the port is closed and SYN ACK packets if the port is open.

  • When the host name is specified, the real IP will show up on the DNS server of the decoy.

  • This technique requires an attacker to send some packets to the target from her real IP address. On the other hand, Idle scan does not send any packets.


DECOY: NMAP AND SNORT TWO SIDES OF THE SAME COIN

  • Nmap is a port scanner, which can search a target computer for open ports, and thus for potential security loopholes.

  • Snort’s task is to counteract nmap. Snort is a daemon which scans through a network for suspect packages and logs them.

  • IP might set of more warnings in snort than the decoys.

  • The real attackers IP in a decoy scan always shows up first in the snort alert log.


IP’S SHOW UP IN A SNORT LOG

  • SENT (0.0060s) ICMP 192.168.0.4 > 192.168.0.3 Echo request (type=8/code=0) ttl=42 id=2717 iplen=28SENT (0.0070s) ICMP 192.168.0.7 > 192.168.0.3 Echo request (type=8/code=0) ttl=58 id=27663 iplen=28SENT (0.0070s) ICMP 192.168.0.1 > 192.168.0.3 Echo request (type=8/code=0) ttl=41 id=3618 iplen=28RCVD (0.0070s) ICMP 192.168.0.3 > 192.168.0.4 Echo reply (type=0/code=0) ttl=64 id=37318 iplen=28

  • [**] [1:469:1] ICMP PING NMAP [**][Classification: Attempted Information Leak] [Priority: 2]07/23-18:46:13.256183 192.168.0.4 -> 192.168.0.3ICMP TTL:42 TOS:0x0 ID:2717 IpLen:20 DgmLen:28Type:8 Code:0 ID:53476 Seq:52818 ECHO[Xref => http://www.whitehats.com/info/IDS162][**] [1:469:1] ICMP PING NMAP [**][Classification: Attempted Information Leak] [Priority: 2]07/23-18:46:13.256190 192.168.0.7 -> 192.168.0.3ICMP TTL:58 TOS:0x0 ID:27663 IpLen:20 DgmLen:28Type:8 Code:0 ID:53476 Seq:52818 ECHO[Xref => http://www.whitehats.com/info/IDS162]


-sI Idlescan

  • Completely “blind” scanning

    - no packets are sent to target from machine running nmap

  • Uses another host (“zombie”), to bounce packets to target

  • Can reveal IP-based trust relationships


  • Login