Defeating NMAP?

John Blakley · ‎01-14-2009

All,

Is there a way to keep nmap from scanning the network?

What I have is a wireless access point, and I have an acl on the radio that denies access to any of our internal subnets. This works great. I can't ping any of my internal networks from the guest side which is what I want.

BUT, I can use nmap and scan all of my internal subnets and get back names, ip addresses, open ports, etc. Is there a way to avoid this?

Thanks!

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎01-14-2009

John

Do you mean when you use nmap from the same side of the AP that you test ping from ?

If so what traffic are you allowing through on your acl ?

Jon

John Blakley · ‎01-14-2009

Yes. When I'm connected to the guest side (10.20.1.0), I can't ping anything. That's what I want, but I can run nmap and get everything back.

Wireless: 10.20.1.0

LAN: 10.15.2.0

Cannot ping 10.15.2.1 (router)

Cannot ping 10.15.2.5 (switch)

Can ping 10.15.2.50 (dhcp/dns server)

Cannot ping 10.15.2.99 (AS400)

Run nmap and everything shows up.

My acl is applied inbound on the radio, and it looks like:

permit udp any any eq bootps (41 matches)

permit tcp any any established

permit udp 10.20.1.0 0.0.0.255 host 10.15.2.50 eq domain (76 matches)

deny ip 10.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255 (281 matches)

deny ip 10.20.1.0 0.0.0.255 192.168.0.0 0.0.255.255

deny ip 10.20.1.0 0.0.0.255 172.16.0.0 0.15.255.255

permit ip 10.20.1.0 0.0.0.255 any (542 matches)

Thanks Jon,

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎01-14-2009

John

Apologies if i'm asking the question you are asking me but do you know which lines nmap is getting through on. I would expect it to be getting through on the "permit tcp any any established" but there are no hits showing there.

What options are you running from nmap - ie. what TCP flags are you setting etc.

Have used nmap before and it was a damn clever tool when i used it and that was a while back.

Bear in mind that nmap often tries to ping the device first but it doesn't seem as that is what you are doing.

Jon

John Blakley · ‎01-14-2009

For this test, I was just using the command line:

nmap -sP 10.15.2.0/24

That tells nmap to ping everything. There's an option in nmap -P0 which tells nmap to not ping, but assume the host is up and start sending SYN packets. I didn't even have to do that.

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎01-14-2009

John

Nmap -sP sends an ICMP probe but also a TCP ACK packet to port 80 so i was wondering if it got through with the "permit tcp any any established" because all the "established" keyword does is look for an ACK in the packet. But there are no hits on that line which is confusing.

Perhaps you could remove that line and retest.

If it still shows everything can you post output of nmap run.

Jon

John Blakley · ‎01-14-2009

Okay, I'll have to set up a test site here in my office because that was at another location today. I'll let you know, but it may be Friday before I can test it.

Thanks Jon!

John

HTH, John *** Please rate all useful posts ***