A while back during a pentest my buddy Steve came up with a cool idea for
doing
Nmap
scans while a client is expected to be observing logs (thus possibly leading
to us getting blocked by IP).
Take a few IPs from the DShield list (or any major blacklist, really) and
use them as input to Nmap’s “decoy scan” feature.
This feature allows you to provide additional addresses using the -D switch,
and makes it look to the defender like those other addresses are scanning
them as well.
What happens in a high percentage of cases is that once an analyst does a
few lookups and sees that the source IPs are on a major blacklist, they
write off any additional port scans that may be going on at that moment as
noise. ::
[ Hat tip to Steve C. for the idea. ]
Links
[
Nmap | nmap.org
][
My Nmap Tutorial | danielmiessler.com
]
0 responses on "Security and Obscurity: Does Changing Your SSH Port Lower Your Risk?"