How to Almost Hide Your Digital Identity While Port Scanning with Nmap

by Bryce Verdier

For people in the know, port scanners are double-edged swords.

While they give system and network administrators the ability to scan for unwanted holes in their firewalls, servers, and computers, they also give malicious Internet users the ability to do the same thing and are usually the first tool a would-be intruder uses to find a way into a network.

One of the most well known port scanners is Nmap.  Nmap runs on Linux, FreeBSD, Mac OS X, Solaris, Windows, and more.  So chances are that, no matter what OS you're running, you can run Nmap on it.

Disclaimer: Just because you're about to learn a new tool today, does not mean that you should go straight to work or school and just start scanning every computer in sight.  This is a real good way to make the network administrators very angry.  So be courteous; if you do not own the computer you're about to scan, get permission.  And this is for educational purposes only, obviously.

I am quite sure that some of the people reading this article are more adept with this tool than I am.  (If you're not, then I would recommend you spend some time with it before continuing with this article... or not.)  For those who don't know, Nmap has the ability to change its scanning IP, and do the same trick with a group of IPs, or decoys, as the manual calls them.  So for everyone who lives by their firewall logs, you might want to start keeping a closer look at your logs concerning port scans, because that IP that is scanning you is probably not the IP that you think it is.

From the manual, there are two arguments that I will go into in more depth: -S and -D

-S has the explanation of: -S <IP_Address>: Spoof source address.

And -D is described as: -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys  (Notice no space between the comma decoy1 and decoy2)

If you do use ME, you will put in your computer's IP address as part of the cycle of decoys.  I do not know if you would want to do this, but maybe you do.  Anyway, let's see some of these configurations in action:

$ sudo nmap -e eth0 -P0 -S 12.24.36.48 -A -T4 192.168.1.27
Starting Nmap 4.62 ( http://nmap.org ) at 2009-01-15 00:13 PST
Warning: OS detection for 192.168.1.27 will be MUCH less reliable because we did not find at least
1 open and 1 closed TCP port
All 1697 scanned ports on mythbox (192.168.1.27) are filtered
MAC Address: 00:14:BF:5B:2D:5C (Cisco-Linksys)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Nmap finished: 1 IP address (1 host up) scanned in 36.634 seconds

This is just to show you what I typed at the command prompt, so you can see how to use the -S argument and what to expect as possible results.

As I said above, -S is to spoof the IP address of the hosting machine, which I have set to spoof as 12.24.36.48.

However, I have a couple more arguments thrown in for good measure.  First the -e this is telling Nmap which network card to use.  Generally, Nmap knows which card to use, but I've decided to use it here to be explicit.

The next extra argument is -P0.  This is to tell Nmap not to ping the host, as Nmap likes to ping before scanning to make sure the host is online.

Now that we've gone over the boring stuff, let's look at some firewall logs.

Jan 15 00:13:01 mythbox IN=eth0 OUT=MAC=00:14:bf:5b:2d:5c:00:13:d4:78:18:c6:08:00 SRC=12.24.36.48 DST=192.168.1.27 LEN=44 TOS=0x00 PREC=0x00 TTL=40 ID=63097 PROTO=TCP SPT=43468 DPT=1383 WINDOW=1024 RES=0x00 SYN URGP=0

Jan 15 00:13:01 mythbox IN=eth0 OUT=MAC=00:14:bf:5b:2d:5c:00:13:d4:78:18:c6:08:00 SRC=12.24.36.48 DST=192.168.1.27 LEN=44 TOS=0x00 PREC=0x00 TTL=47 ID=56142 PROTO=TCP SPT=43469 DPT=722 WINDOW=4096 RES=0x00 SYN URGP=0

This output shows the results the command above has on my iptables firewall log.

If you look in the screen shot on each line you'll see: SRC=12.24.36.48 which is the exact IP we set from the command line.  We know this works with a single IP address, but what about multiple IP addresses?

$ sudo nmap -e eth0 -P0 -D 1 12.24.36.48,3.6.9.12,5.25.1 25.250 -A -T4 192.168.1.27
Starting Nmap 4.62 ( http://nmap.org ) at 2009-02-15 00:33 PST
Warning: OS detection for 192.168.1.27 will be MUCH less reliable
because we did not find at least 1 open and 1 closed TCP port
Interesting ports on mythbox (192.168.1.27):
Not shown: 1693 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.15
631/tcp open ipp CUPS 1.2
6543/tcp open mythtv?
6544/tcp open mythtv?
MAC Address: 00:14:BF:5B:2D:5C (Cisco-Linksys)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.12 (x86)
Uptime: 0.031 days (since Wed Jun 13 20:11:22 2007)
Network Distance: 1 hop

Nmap finished: 1 IP address (1 host up) scanned in 138.657 seconds

Just like the first command, we start by Nmap telling it which network card to use and, instead of just specifying one IP address, we specify three IP addresses: 12.24.36.48, 3.6.9.12, and 5.25.125.250

Now let's take a quick look at our iptables log and see what happens:

Jan 15 00:33:54 mythbox IN=eth0 OUT=MAC=00:14:bf:5b:2d:5c:00:13:d4:78:18:c6:08:00 SRC=12.24.36.48 DST=192.168.1.27 LEN=44 TOS=0x00 PREC=0x00 TTL=43 ID=16809 PROTO=TCP SPT=63815 DPT=234 WINDOW=4096 RES=0x00 SYN URGP=0

Jan 155 00:33:54 mythbox IN=eth0 OUT=MAC=00:14:bf:5b:2d:5c:00:13:d4:78:18:c6:08:00 SRC=3.6.9.12 DST=192.168.1.27 LEN=44 TOS=0x00 PREC=0x00 TTL=42 ID=16809 PROTO=TCP SPT=63815 DPT=234 WINDOW=3072 RES=0x00 SYN URGP=0

Jan 15 00:33:54 mythbox IN=eth0 OUT=MAC=00:14:bf:5b:2d:5c:00:13:d4:78:18:c6:08:00 SRC=5.25.125.250 DST=192.168.1.27 LEN=44 TOS=0x00 PREC=0x00 TTL=42 ID=16809 PROTO=TCP SPT=63815 DPT=234 WINDOW=3072 RES=0x00 SYN URGP=0

Well, well, well...

Just like the manual said, the firewall logs show that access was attempted from our specified address above, in the exact order that we inputted them.  You can discover this for yourself by looking at the log messages and noticing what SRC equals.

So let's recap what we have (hopefully) learned today.  We learned how to change your IP address while scanning, and that you can use an array of IP address to pretend to be other IPs while scanning.

So you might be wondering at this point why I say we almost hid our identity.  Well, if you have been paying attention to the firewall logs you might have noticed that the attacking MAC address has stayed the same.  Of course, this can be changed as well, but that is another article for another time.

Resources
Return to $2600 Index