The Nmap / DShield Trick

December 15, 2008

A while back during a pentest my buddy Steve came up with a cool idea for doing Nmap > scans while a client is expected to be observing logs (thus possibly leading to us getting blocked by IP).

Take a few IPs from the DShield list (or any major blacklist, really) and use them as input to Nmap’s "decoy scan" feature. This feature allows you to provide additional addresses using the -D switch, and makes it look to the defender like those other addresses are scanning them as well.

What happens in a high percentage of cases is that once an analyst does a few lookups and sees that the source IPs are on a major blacklist, they write off any additional port scans that may be going on at that moment as noise. ::

[ Hat tip to Steve C. for the idea. ]

Links

[ Nmap | nmap.org > ][ My Nmap Tutorial | danielmiessler.com > ]

Follow On X Subscribe On YouTube Follow On LinkedIn

supporting = loving

For 29.437 years I've been creating ad-free technical tutorials and essays here — 3,027 pieces and counting. It's a one-person effort that's also my life and livelihood. If it makes your day more livable in any way, please consider supporting the work with a monthly or one-time donation. Your support means a lot to me, and makes all the difference. 🫶🏼

Monthly Support

♥ $5 ♥ $10 ♥ $25 ♥ $50 ♥ $100

One-Time Support

♥ $5 ♥ $10 ♥ $25 ♥ $50 ♥ $100

This post was tagged with:

HOME·BLOG·ARCHIVES·ABOUT