Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Changing Source Port For Nmap Idle Scan

from [Omar Herrera] Network Security [Permanent Link]
Subject: RE: Changing Source Port For Nmap Idle Scan
Date: Mon, 28 Mar 2005 21:06:18 -0600 
You can't do that directly; there is no option specific to -sI that will
allow you to change the source port (at least none that I'm aware of). 

The documentation for -g (--source_port) states that nmap will ignore this
parameter if it doesn't think it applies to a certain combination of options
(and this seems to be the case here).

Yet, you can overcome this more or less easily. Q&D solution to avoid
messing up with nmap's code: put a redirection filter on the machine that
you are scanning from. You can use iptables and POSTROUTING with Linux, for
example (since you are only mangling traffic coming from the spoofed address
this shouldn't affect other networking capabilities).

Simply put a rule like this one (assuming you have iptables up and running
with all required modules):

        iptables -A POSTROUTING -t nat -p tcp -s 192.168.1.101 -j SNAT --to
192.168.1.101:139

In this example, 192.168.1.101 is the address of the Zombie. So, anything
you spoof using TCP and this address as source will be changed, so that the
source port is 139.

Run nmap with idlescan option like this (target here is 192.168.1.254): 
        
        nmap -sI 192.168.1.101 192.168.1.254 

And there you go. Note that if you append the --packet_trace option to nmap
you will still see that packets are coming from port 80 (nmap sees these
packets before postrouting processing takes place). To be sure, just put a
protocol analyzer listening (even on the same machine running the scan) and
you will see that packets are being mangled properly, and the source port is
still 139, in this example. This will apply as well when scanning selected
ports.

I hope this helps.

Kind regards,
Omar Herrera


-----Original Message-----
From: SecureHacK [mailto:debonaire52@hotmail.com]
Sent: Sunday, March 27, 2005 8:51 PM
To: pen-test@securityfocus.com
Subject: Changing Source Port For Nmap Idle Scan



Hello  I have a quick question I have been experimenting with idle
scanning and I have read the paper on it and I have an understanding of
what goes on during the process I am also an avid nmap user.What I am
trying to figure out is is there anyway to change the port to use during
the idle scan by default it's port 80 so using the -g option it should
change the source port to whatever I want I have used this option but it
still only uses port 80 is this changeable? For example find a machine
with port 139 open could we change our source port to 139 and use that?

                                        Cheers
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Nessus Plugins, Dan Tesch
Next by Date:  Samba hacking ?, Bones
Previous by Thread:  Re: Changing Source Port For Nmap Idle Scan, Joachim Schipper
Next by Thread:  Nessus Plugins, Dan Tesch
Indexes:  [Date] [Thread] [Top] [All Lists]