I think it’s fair to say that I’ve blogged quite extensively on the different types of Nmap scans, and for the sake of mixing things up, I want to hop over the fence and look at detecting Nmap scans.
I little while ago I conducted an Nessus scan and viewed the process through Wireshark. I noted at the time:
Well, as soon as I started the scan Wireshark went into overdrive and in a little over 3 minutes registered over 17,000 packets, which is a HUGE amount compared with normal.
Coupled with this was the fact that the string “Nessus” appeared throughout; some 83 times.
It’s fair to say the Nessus scan lit up like a firework on Wireshark.
I noted that I looked forward to trying the same experiment whilst conducting an Nmap scan, which I did today, and will say that Nmap is a very different beast to detect indeed.
In fact, to my untrained eye, except for the fact that Wireshark noted many more packets than usual, there was no obvious giveaway that it was due to an Nmap scan.
And so I have decided to delve in to Chapter 31 of Wireshark Network Analysis entitled: “Detect Scanning and Discovery processes“. Here’s a snippet:
Just as the criminal may investigate the workings of a bank before robbing it, malicious programs and processes may investigate open ports and working hosts before attempting an exploit. Identifying these discovery and reconnaissance processes in a timely manner may thwart the eventual attack.
Understanding the purpose of these discovery methods will help you realise what the attacker is looking for and what options are available to block the traffic.
Nmap is one of the most popular tools used to discover netwrok devices and services. In this chapter we provide some details on how to run and identify various Nmap discovery processes.
In the book Nmap Network Scanning the following is written under the section “Detect Nmap Scans”
Special purpose port scan detectors are a more effective approach to detecting Nmap activity. Two common examples are PortSentry and Scanlogd.
[....]
……these port scan detection tools work pretty well. Yet the type of administrator who cares enough to keep tabs on port scans will also want to know about more serious attacks such as exploit attempts and installed backdoors. For this reason, intrusion detection systems that alert on a wide range of suspicious behaviour are more popular than these special-purpose tools.
Many vendors now sell intrusion detections systems, but Nmap users gravitate to an open-source lightweight IDS named Snort. It ranked as the third most popular security tool among a survey of 3,243 Nmap users (It’s currently rated as 5th most popular). Like Nmap, Snort is improved by a global community of developers. It supports more than two thousand rues for detecting all sorts of suspicious activity, including port scans.
In short, my plan is to work through the techniques for detecting Nmap scans within Wireshark and then go on to check out Snort for myself.
I hope that in doing this I will add to my rather limited knowledge of packets, Wireshark, and even Nmap.