Friday, January 4, 2013

disadvantage of "-sI" option for nmap

Recently, I have been so obsessed by nmap, there is a very interesting option, "-sL", which will take advantage of a zombie machine to accomplish a stealth scanning. But the truth is not like what it's said.

From the official guide, we were told that it won't be problematic to find a zombie machine, but what is the truth? I am done several tests myself, but I found that, it is really hard to do that.

1. It is really hard to find a totally isolated host which there are merely IP level packets are received. Nowadays, all servers are equipped with loadbalancer, proxy, reverse-proxy, etc. Those applications will generate some TCP/ICMP/IGMP level packets to determine an host is alive. So even there is no effective requests at all from the clients, we could not grantee that there are no other IP packets bothered us.

2. The zombie host must open its 80 or 443 ports. continue with the prior problem, a lot of web applications are use some arbitrary ports instead of well known ports 80 and 443, they choose customized ports like 1443 or 8080, but nmap could not use those ports to perform ID incremental scanning.

3. No one really use or log-on to that host from SSH or made some development. As we all know, the most vulnerable hosts are dev hosts, those hosts are always welcome for everyone, in this case, they do not fit. there will be a lot of traffic for SVN, SSH and some other testing requests from developers.

Conclude with those 3 points, it's made zombie host based scanning an unpractical for a real world scanning.

I have set-up a lab myself, which should be very quite environment than a real world, but the results were always different. here is my lab environment:

zombie: 192.168.1.100, a http server
target: 192.168.1.101, ports 22, ports 80, ports 8080 are opened

I scanned for three times, but I got three different results:

First:

PORT     STATE           SERVICE
22/tcp   closed|filtered ssh
80/tcp   closed|filtered http
8080/tcp open            http-proxy

Second:

PORT     STATE           SERVICE
22/tcp   open            ssh
80/tcp   open            http
8080/tcp open            http-proxy

Third:

PORT     STATE           SERVICE
22/tcp   open            ssh
80/tcp   open            http
8080/tcp closed|filtered http-proxy

But do not be scared, you still be able to find a zombie host, but keep in mind, the zombie host must very do not proceed any IP or higher level request, otherwise the ID incremental will make no sense any more.

"The quieter you become, the more you are able to hear"




No comments:

Post a Comment