It is always interesting to me to see what defense can be put up against tools used by attackers/pen testers. I don't believe there are any public exploits against Nmap (Secunia is not aware of any at least) and I doubt I could find a useful one against a basic scan. On the other hand, it is easy to throw chaff in front of the scan results.
Nmapscrewer does just that. It uses pcap to listen to any TCP SYN packet, and sends back a SYN/ACK, except on designated ports where you are running real services. Nmap or any other program will interpret that port as open, and a basic portscan finds every scanned port open. An incoming scan with the -A option to run all the scripts, the default in Zenmap, is entertaining to watch. Instead of a quick scan, every script must be run against every port scanned (1000 by default), and for every script to be run, since the non-open port does not respond to any packet other than a SYN packet, every TCP send must wait until every retransmit times out before dying. The scan gives zero meaningful results and usually takes hours. I've never waited long enough for it to finish.
Of course, this doesn't add any real security, and I know how much the value of a portscan has diminished to a serious attacker, so there's a good chance nmap won't even be run. But it is still entertaining to run nmapscrewer at security conferences or CTF games, and watch faces light up at all the open ports until the frustration of trying to interact with any of them sets in.
TCP checksum code Copyright (C) 2003, James Antognini, antognini@mindspring.com.
Source is here: http://www.scriptjunkie.us/files/nmapscrewer.cpp.txt
Screwing with Nmap
Comments are closed.