≡ Menu

Security Tip: Avoid Detection with nmap Port Scan Decoys

You can test your IDS or IPS devices to monitor your scan traffic. Use this feature to avoid detection with nmap. You may not want to get caught performing a network scan. For example, using following technique you can test your own IDS / IPS / network security from remote location or home.

nmap Decoy option – Cloak a scan with decoys

nmap has -D option. It is called decoy scan. With -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address.

You can separate each decoy host with commas, and you can optionally use ME as one of the decoys to represent the position for your real IP address. If you put ME in the 6th position or later, some common port scan detectors (such as Solar Designer’s excellent scanlogd) are unlikely to show your IP address at all. If you don’t use ME, nmap will put you in a random position. Note that the hosts you use as decoys should be up or you might accidentally SYN flood your targets. Also it will be pretty easy to determine which host is scanning if only one is actually up on the network. You might want to use IP addresses instead of names (so the decoy networks don’t see you in their nameserver logs).

WARNING! These penetration testing (security testing) examples may be considered as Unauthorized Access or Illegal Behavior. Use examples on your own RISK and/or to secure your own network host / IPS /IDS.

Use the following syntax:
# nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
# nmap -n -D192.168.1.5,,,

Host (or network IDS / IPS) will see 4 port scan and remote host / IDS has no way telling which one was real. Decoys are used both in the initial ping scan (using ICMP, SYN, ACK, or whatever) and during the actual port scanning phase. Decoys are also used during remote OS detection (-O). Decoys do not work with version detection or TCP connect scan. It is worth noting that using too many decoys may slow your scan and potentially even make it less accurate. Also, some ISPs will filter out your spoofed packets, but many do not restrict spoofed IP packets at all.

nmap ideal scan technique to hide your IP

Following example, uses an an idle scan technique. It uses port 1234 on IP as as a zombie to scan host –
# nmap -P0 -sI

This technique only hides your source address but remote IPS / IDS always record and logs scan. Please refer to nmap man page for more information:
man nmap

Share this on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:

{ 4 comments… add one }
  • Sir Henry January 9, 2008, 2:46 am

    When I first found out about the decoy option in nmap, I, too, thought it would be a good way to obfuscate my scans. Unfortunately, the simple way to be defeated in the process of hiding your IP during the scan is to user etherape. You should try this out with the visual network map. It points directly to the device that is sending the most traffic. Now, if you could make the nmap scan distributed amongst the decoys, that would be impressive.

  • farhang February 10, 2009, 7:24 am

    dear sir
    please learn me perfect hide ip from software or network.
    thanks a lot for attention

  • JD June 8, 2011, 10:14 pm

    Just worth noting that decoy scans (-D) do work with version detection (-sV).

  • robinson March 18, 2015, 9:24 am

    hi sir, is it possible to infilterate membership area of premium movie sites without revealing your ip or being traced.

Security: Are you a robot or human?

Leave a Comment

   Tagged with: , , , , , , , , , , , ,