A while back during a pentest my buddy Steve came up with a cool idea for doing Nmap scans while a client is expected to be observing logs (thus possibly leading to us getting blocked by IP).
Take a few IPs from the DShield list (or any major blacklist, really) and use them as input to Nmap’s “decoy scan” feature. This feature allows you to provide additional addresses using the
-D switch, and makes it look to the defender like those other addresses are scanning them as well.
What happens in a high percentage of cases is that once an analyst does a few lookups and sees that the source IPs are on a major blacklist, they write off any additional port scans that may be going on at that moment as noise. ::
[ Hat tip to Steve C. for the idea. ]