As mentioned in Tuning the Scan Speed, it is not uncommon for IDS or IPS devices to monitor your scan traffic. For various reasons, you may be interested in not being caught performing a network scan. One way to avoid detection is to slow the scan to a crawl (see Tuning the Scan Speed) in hopes of evading an IDS or IPS. While this works for most devices, the speeds necessary to avoid detection are so low that your scan can go from taking seconds to hours or even days. Nmap provides two alternate techniques you can use to avoid getting caught in the act. Ironically, neither technique prevents the scan from being seen, but rather they disguise your source address.
The first approach is to perform what is called an idle scan. With this technique, scan the target by spoofing packets from a zombie host and then bouncing packets off the zombie to see what ports are open on the target. This scan works only if the zombie uses predictable IP IDs and is not sending a large volume of network packets at the time of the scan. (See Operating System Detection to determine whether a host has predictable IP IDs.)
To perform an idle scan, use the -sI zombie:port option. The zombie argument needs to be the address of a host with predictable IP IDs, and the port needs to be an open TCP port on that host (if no port is specified, Nmap tries port 80 by default).
It is a good idea to use -P0 (see Host Discovery) with an idle scan so no packets are seen originating from your host. If you don't use this option, your host will send some initial host discovery packets prior to the spoofed scan, which could be used to trace the scan back to you.
Here's an example showing an idle scan of my desktop using port 3389 on 10.150.10.253 as a zombie:
bryan@firemaw:˜$ sudo nmap -P0 -sI 10.150.10.253:3389 10.150.9.46
Idlescan using zombie 10.150.10.253 (10.150.10.253:3389); Class: Incremental
Interesting ports on 10.150.9.46:
(The 1669 ports scanned but not shown below are in state: closed|filtered)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3689/tcp open rendezvous
8080/tcp open http-proxyFrom the perspective of the target (10.150.9.46), all packets from this scan came from 10.150.10.253, even though the host performing the scan has an IP address of 10.150.9.45. Even if an IDS or IPS had detected the scan, the host running Nmap will not be associated with the event.
Another interesting feature of idle scans is that they allow you to view the target host from the perspective of the zombie. Firewall policies often contain exceptions for certain IP addresses (for example, a DNS server may only allow access to TCP port 53 from other DNS server IP addresses). By using one of these "special" hosts as a zombie, you can view open ports that are firewalled for your computer's IP address.
The second feature of Nmap you can use to perhaps avoid detection is to employ decoys in your scan. Nmap allows you to specify any number of decoy sources that it uses to fake additional scans from. By using decoys, even though your source IP address might be detected as performing a scan, it is mixed up with fake scans from other IP addresses. This allows you to possibly be lost in the noise. Since Nmap duplicates every scan packet for each decoy, using a large number of decoys reduces scan performance. Use the -D decoy1,decoy2,... option to instruct Nmap to use decoys while scanning. Here is an example scan using four decoys:
sudo nmap -n -D1.1.1.1,2.2.2.2,3.3.3.3,4.4.4.4 10.150.9.46From the perspective of the target (10.150.9.46), five port scans were seen, but only one of the scans was legitimate (and more importantly, the target has no way of telling which one was real).