Results 1 to 4 of 4

Thread: Port scan detection avoidance

  1. #1
    Junior Member
    Join Date
    Nov 2008
    Posts
    35

    Default Port scan detection avoidance

    Been evaluating a few ids devices (not that impressed to tell the truth ! ) and by accident found a common issue with the ones i am looking at.

    They all detect nmap scans and nessus scans and flag them up, i changed the nmap-services file to a custom file i use with a very specific set of ports. None of the ids devices flagged up a scan for nmap

    i have spoken to the vendors the general responses that they identify the scans by known finger prints from applications i.e the way nmap sequences the ports.the other thing they look for is connection to lots of ports from 1 ip over a set amount of time

    Question is is there a proxy tool for BT to randomize the proxy address and allow more than just port 80 etc and a way to randomize the nessus scan ?

    My view on the ids/ips is its not worth the investment and does not replace a correctly configured firewall and system.any thoughts on usefulness of ips?

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by o0hex0o View Post
    Question is is there a proxy tool for BT to randomize the proxy address and allow more than just port 80 etc and a way to randomize the nessus scan ?

    My view on the ids/ips is its not worth the investment and does not replace a correctly configured firewall and system.any thoughts on usefulness of ips?
    Start reading if you think that's as good as it gets.
    You can do lots of things with nmap to help hide where you are coming from.
    I am not going to tell you but if you look at the nmap man page it will tell you.
    Course even then it might not work.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Both nmap and nessus have lots of builtin IDS/IPS avoidance options. Including random source ports, ftp or dns sourcing and bouncing, fragmenting packets, timing options, etc.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    A timing option of -T0 helps a lot against many IDS's, but takes ages.

    As thorin said, there's many options in both nmap and nessus. In fact so many
    that eh, it would take a few days to explain them all I guess (in depth xD).

    Even I don't know that much about IDS evasion since I haven't had the need to do it, yet.
    But I look forward to the day that I'm actually going to need it! :-D
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •