Frankenmap

Posted on by tmack

Modern Intrusion Detection Systems (IDS) easily spot the distinct signatures of Nmap’s default aggressive probes.

Here is a stealth blueprint for getting OS, version, and script data without kicking the front door down:

1. Deconstructing the Aggressive Scan

Instead of using -A, use these specific flags to control exactly what information is gathered and how it is sent:

  • Stealth SYN Scan (-sS): This is the gold standard for stealth. It performs a “half-open” scan by sending a SYN packet and waiting for a SYN-ACK but never completing the three-way handshake. Unlike “full connect scans” (-sT), these often avoid being logged by simpler application-level firewalls.
  • Version Detection Timing (-sV --version-intensity 0): Version detection (-sV) is notoriously noisy because it sends probes to identify services. By setting the intensity to 0, you only send the most likely probes, significantly reducing your footprint.
  • OS Detection with Caution (-O --osscan-limit): To be stealthier with OS detection, use the --osscan-limit flag. This tells Nmap not to waste packets trying to identify the OS of targets that don’t have at least one open and one closed TCP port.

2. Evading Network Signatures

You can further disguise your scan by modifying the packet headers to look like normal traffic:

  • Custom TTL and Window Size: You can set a custom Time-To-Live (--ttl) and window size (--window-size) to match common operating systems like Windows or Linux, making your probes blend in with standard web traffic.
  • Data Padding (--data-length): Nmap packets are often empty, which is a massive red flag for IDS. Adding random data to the packets helps them look like legitimate application requests.
  • Fragmenting Packets (-f): This splits the TCP header across several packets, which can bypass some older, less sophisticated packet filters.

3. The “Frankenstein” Stealth Command

Combining these techniques into a single command allows you to gather deep data with minimal noise:

Bash

sudo nmap -sS -Pn -n -sV --version-intensity 0 -O --osscan-limit --data-length 32 --ttl 51 -w 2048 --scan-delay 5s -f <target_ip>

Strategic Warnings

  • The “Snitch”: Even with these precautions, Version Detection (-sV) remains a risk. The moment you send a probe to a service, you are interacting with it in a way that is highly documented in IDS signatures.
  • Shared Infrastructure: If you see your targets are behind a CDN like Cloudflare or Akamai, scanning for OS or versions is often a waste of time. You will only be scanning the infrastructure provider’s edge nodes, not the actual target server.
  • Stealth Firewalls: If you notice connection attempts consistently taking exactly your timeout limit (e.g., 2 seconds), you are likely hitting a “stealth” firewall that is silently dropping your packets.