I was reading Nmap documentation about firewall evasion here. I already know that it is possible to use a proxy to make a scan (with the proxy chains). But with the option -S it is possible to spoof an IP adress. Isn't it the same ?
Thanks
Asked
Active
Viewed 8,946 times
1 Answers
7
No.
Scanning through a proxy allows you to scan from the IP of that proxy, and it only works with certain scan types, as you're just tunneling traffic through a proxy server. Connect scans are the obvious example of a scan type that works via a SOCKS proxy.
Scanning with -S allows you to explicitly set the source IP address that your scan's IPv4 (or IPv6) headers contain. You can't do this with a proxy scan. If you're actually trying to scan something, the only useful reason to use -S is to set your source IP when nmap can't figure it out itself.
Alternatively, you can make it look like an nmap scan is coming from another system on the network, in order to confuse a defender and waste their time. However, since the target server will reply back to the IP address in the source header, you won't see the response packets from the server, so it won't function as an actual port scan and nmap isn't likely to return useful results.
Polynomial
- 132,208
- 43
- 298
- 379
-
Thank you, I understood everything, except that I don't understand why **-S** won't work while doing a scan through a proxy, it's useless Ok, but we can still do this, right ? – adrTuIPKJ44 Oct 26 '16 at 21:53
-
1No. If you use -S for spoofing you won't be able to create a connection to the proxy, because a TCP connections need the 3-way handshake to complete, which you can't do if you aren't receiving packets from the proxy. The proxy itself can't honour your -S flag because proxies don't work like that. – Polynomial Oct 26 '16 at 22:19
-
In some cases, it is useful to spoof IP, for example to reproduce the attack of an adversary, and the information we can obtain is collected server-side on the system we own. – Steven Miller Sep 09 '22 at 15:18