Defending against Nmap service detection scans
If you belong to the blue team of an organization, it is likely you are already running a decoy host in your network. But what about something that slows down attackers? As Nmap is one of the most popular tools for port scanning, it is a good idea to implement something that will hinder the scans.
In this recipe, you will learn how to make Nmap scan indefinitely when a service detection scan is used against a target.
How to do it...
To start a fake HTTP service that sends random data indefinitely on a Linux-based host, use the following Ncat command:
$ncat -l 127.0.0.1 8080 -c "echo 'HTTP/1.1 200 OK\r\n\r\n'; cat /dev/urandom" -k
A new service running on port 8080 will start on your localhost. If an attacker uses Nmap's service detection scan (-sV), the service will prevent Nmap from closing the network socket, and hence the scan will never finish.
How it works...
The previous Ncat command simply listens on the local IP address TCP port 8080 (-l 127.0.0.1 8080) and executes a system command using the -c option. The -k option is also used to enable multiple connections so the socket is not closed after the first client connects. The executed system command is composed of two parts:
- A fake protocol header:
echo 'HTTP/1.1 200 OK\r\n\r\n' - Random data stream:
cat /dev/urandom
The fake application protocol header is used to confuse the scanner making it launch a read operation that will only close once data transmission is complete, which will never happen. Additionally, Nmap prints results only when all hosts are processed, and if one host isn't complete, none of the results from that group are printed, so the attackers won't be able to see the incomplete results report. By using the /dev/urandom pseudo-device, we generate an infinite body message to append to the response and achieve this infinite response condition.
There's more...
Even though it is basic, this technique is pretty effective and does not only work on Nmap. You would be surprised how fragile some vulnerability scanners are, and this is only one method for hindering their results. You should get creative and analyze how the scanner works to identify possible attack vectors. In this recipe, we used an HTTP header to trick the scanner, but other protocols could also be susceptible.
Attacking web crawlers in security scanners
Writing web crawlers and handling the infinite combination of tags and fields in poorly written HTML is difficult. Scanners often include web crawlers to enumerate the attack surface and even detect vulnerabilities. By targeting the web crawler engine in scanners, we may affect the scanning behavior. Common attacks against web crawlers include web servers with link loops, pages with a high number of nested links, and dynamic content generation, among many others. Try these techniques against security scanners to discover interesting defense techniques!