12.1 TimingNmap
adjusts its timings automatically depending on network speed and responsetimes of the victim. However, you may want more control over the timing in orderto create a more stealthy scan, or to get the scan over and done with quicker.The main timing option is set through the -T parameter. There are six predefinedtiming policies which can be specified by name or number (starting with0, corresponding to Paranoid timing). The timings are Paranoid, Sneaky, Polite,Normal, Aggressive and Insane.
A -T Paranoid (or -T0) scan will wait (generally) at least 5 minutes betweeneach packet sent. This makes it almost impossible for a firewall to detect a portscan in progress (since the scan takes so long it would most likely be attributedto random network traffic). Such a scan will still show up in logs, but it will beso spread out that most analysis tools or humans will miss it completely.A -T Insane (or -T5) scan will map a host in very little time, provided youare on a very fast network or don’t mind losing some information along the way.Timings for individual aspects of a scan can also be set using the –host timeout,–max rtt timeout, –min rtt timeout, –initial rtt timeout, –max parallelism, –min parallelism,and –scan delay options. See the Nmap manual for details.
12.2 Decoys
The -D option allows you to specify Decoys. This option makes it look like thosedecoys are scanning the target network. It does not hide your own IP, but itmakes your IP one of a torrent of others supposedly scanning the victim at the11same time. This not only makes the scan look more scary, but reduces the chanceof you being traced from your scan (difficult to tell which system is the ”real”source).
12.3 FTP Bounce
The FTP protocol (RFC 959) specified support for a ”proxy” ftp, which alloweda connection to an FTP server to send data to anywhere on the internet. Thistends not to work with modern ftpds, in which it is an option usually disabled inthe configuration. If a server with this feature is used by Nmap, it can be usedto try to connect to ports on your victim, thus determining their state.This scan method allows for some degree of anonymity, although the FTPserver may log connections and commands sent to it.
12.4 Turning Off Ping
The -P0 (that’s a zero) option allows you to switch off ICMP pings. The -PToption switches on TCP Pings, you can specify a port after the -PT option to bethe port to use for the TCP ping.Disabling pings has two advantages: First, it adds extra stealth if you’rerunning one of the more stealthy attacks, and secondly it allows Nmap to scanhosts which don’t reply to pings (ordinarily, Nmap would report those hosts asbeing ”down” and not scan them).In conjunction with -PT, you can use -PS to send SYN packets instead ofACK packets for your TCP Ping.The -PU option (with optional port list after) sends UDP packets for your”ping”. This may be best to send to suspected-closed ports rather than openones, since open UDP ports tend not to respond to zero-length UDP packets.Other ping types are -PE (Standard ICMP Echo Request), -PP (ICMP TimestampRequest), -PM (Netmask Request) and -PB (default, uses both ICMP EchoRequest and TCP ping, with ACK packets)
12.5 Fragmenting
The -f option splits the IP packet into tiny fragments when used with -sS, -sF,-sX or -sN. This makes it more difficult for a firewall or packet filter to determinethe packet type. Note that many modern packet filters and firewalls (includingiptables) feature optional defragmenters for such fragmented packets, and willthus reassemble the packet to check its type before sending it on. Less complexfirewalls will not be able to cope with fragmented packets this small and will mostlikely let the OS reassemble them and send them to the port they were intendedto reach. Using this option could crash some less stable software and hardwaresince packet sizes get pretty small with this option!12
12.6 Idle Scanning
See the section on -sI for information about idle scans.
12.2 Decoys
The -D option allows you to specify Decoys. This option makes it look like thosedecoys are scanning the target network. It does not hide your own IP, but itmakes your IP one of a torrent of others supposedly scanning the victim at the11same time. This not only makes the scan look more scary, but reduces the chanceof you being traced from your scan (difficult to tell which system is the ”real”source).
12.3 FTP Bounce
The FTP protocol (RFC 959) specified support for a ”proxy” ftp, which alloweda connection to an FTP server to send data to anywhere on the internet. Thistends not to work with modern ftpds, in which it is an option usually disabled inthe configuration. If a server with this feature is used by Nmap, it can be usedto try to connect to ports on your victim, thus determining their state.This scan method allows for some degree of anonymity, although the FTPserver may log connections and commands sent to it.
12.4 Turning Off Ping
The -P0 (that’s a zero) option allows you to switch off ICMP pings. The -PToption switches on TCP Pings, you can specify a port after the -PT option to bethe port to use for the TCP ping.Disabling pings has two advantages: First, it adds extra stealth if you’rerunning one of the more stealthy attacks, and secondly it allows Nmap to scanhosts which don’t reply to pings (ordinarily, Nmap would report those hosts asbeing ”down” and not scan them).In conjunction with -PT, you can use -PS to send SYN packets instead ofACK packets for your TCP Ping.The -PU option (with optional port list after) sends UDP packets for your”ping”. This may be best to send to suspected-closed ports rather than openones, since open UDP ports tend not to respond to zero-length UDP packets.Other ping types are -PE (Standard ICMP Echo Request), -PP (ICMP TimestampRequest), -PM (Netmask Request) and -PB (default, uses both ICMP EchoRequest and TCP ping, with ACK packets)
12.5 Fragmenting
The -f option splits the IP packet into tiny fragments when used with -sS, -sF,-sX or -sN. This makes it more difficult for a firewall or packet filter to determinethe packet type. Note that many modern packet filters and firewalls (includingiptables) feature optional defragmenters for such fragmented packets, and willthus reassemble the packet to check its type before sending it on. Less complexfirewalls will not be able to cope with fragmented packets this small and will mostlikely let the OS reassemble them and send them to the port they were intendedto reach. Using this option could crash some less stable software and hardwaresince packet sizes get pretty small with this option!12
12.6 Idle Scanning
See the section on -sI for information about idle scans.
Comments :
Post a Comment