In the Previous tutorial, we discussed about
evading windows 7 firewall rules. Today, let us discuss about another great capability of Nmap that is decoys. To evade detection and network presence, Nmap decoys can be used effectively to lessen the chances of being caught. Decoys are those fake IP bots which pretends to be scanning the network and hence, confusing the security administrators to find the real culprit. So, today let us see how we can scan a target using Decoys in Nmap. For this tutorial we will use the target operating system as Windows 7 and we will run Snort to detect network packets. Snort is a common open source IDS implementation-
we just performed a service scan with nmap on the target with two decoys that are 192.134.122.133 and 192.134.55.66 on port 21. We can see the port open but let us see on the target side that what amount of traffic we generated-
As we can clearly see that we have the decoys who are scanning the target. But, we also have our original IP address listed there. However, this lessens the chances of getting caught but not a complete evade. Also, an important thing to mention here is that in a Service discovery scan, Nmap will try to fetch the banner of the target port from the original IP address which makes it more catchy. Therefore, let us see another approach of using Nmap decoys with IP Spoofing and analyze the results-
Let us now check the target Snort logs and see if the original IP address is listed there or not-
Bang! we can see that there is no listing of our original IP address there. Hence, evading the catch completely. Therefore, decoys lessens the chances of being caught and does it even better when used in conjunction with IP spoofing. This tutorial is recommended to use under a LAN environment or on an onsite testing project.
What if you use your real ip adress as the ip in the middle making it 3 decoys
ReplyDelete