RE: Changing Source Port For Nmap Idle Scan
From: Omar Herrera (oherrera_at_prodigy.net.mx)
Date: 03/29/05
- Previous message: Dan Tesch: "Nessus Plugins"
- In reply to: SecureHacK: "Changing Source Port For Nmap Idle Scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Mar 2005 21:06:18 -0600 To: pen-test@securityfocus.com
You can't do that directly; there is no option specific to -sI that will
allow you to change the source port (at least none that I'm aware of).
The documentation for -g (--source_port) states that nmap will ignore this
parameter if it doesn't think it applies to a certain combination of options
(and this seems to be the case here).
Yet, you can overcome this more or less easily. Q&D solution to avoid
messing up with nmap's code: put a redirection filter on the machine that
you are scanning from. You can use iptables and POSTROUTING with Linux, for
example (since you are only mangling traffic coming from the spoofed address
this shouldn't affect other networking capabilities).
Simply put a rule like this one (assuming you have iptables up and running
with all required modules):
iptables -A POSTROUTING -t nat -p tcp -s 192.168.1.101 -j SNAT --to
192.168.1.101:139
In this example, 192.168.1.101 is the address of the Zombie. So, anything
you spoof using TCP and this address as source will be changed, so that the
source port is 139.
Run nmap with idlescan option like this (target here is 192.168.1.254):
nmap -sI 192.168.1.101 192.168.1.254
And there you go. Note that if you append the --packet_trace option to nmap
you will still see that packets are coming from port 80 (nmap sees these
packets before postrouting processing takes place). To be sure, just put a
protocol analyzer listening (even on the same machine running the scan) and
you will see that packets are being mangled properly, and the source port is
still 139, in this example. This will apply as well when scanning selected
ports.
I hope this helps.
Kind regards,
Omar Herrera
> -----Original Message-----
> From: SecureHacK [mailto:debonaire52@hotmail.com]
> Sent: Sunday, March 27, 2005 8:51 PM
> To: pen-test@securityfocus.com
> Subject: Changing Source Port For Nmap Idle Scan
>
>
>
> Hello I have a quick question I have been experimenting with idle
> scanning and I have read the paper on it and I have an understanding of
> what goes on during the process I am also an avid nmap user.What I am
> trying to figure out is is there anyway to change the port to use during
> the idle scan by default it's port 80 so using the -g option it should
> change the source port to whatever I want I have used this option but it
> still only uses port 80 is this changeable? For example find a machine
> with port 139 open could we change our source port to 139 and use that?
>
> Cheers
- Previous message: Dan Tesch: "Nessus Plugins"
- In reply to: SecureHacK: "Changing Source Port For Nmap Idle Scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
