3

I'm confused as to why you would use the -D option for Nmap. Is there any 'white hat' reason for using it? Or is it used particularly for malicious purposes?

schroeder
  • 123,438
  • 55
  • 284
  • 319
ssharma
  • 71
  • 5
  • 2
    Well, any offensive feature can be employed to test your own defensive measures. So, a decoy scan against your own infrastructure can help you find out how your firewall responds to it, just like DoS tools can help you assess how stable your systems are in case of a real attack. – Arminius Nov 24 '17 at 02:40
  • Is the decoy scan, in particular, used to confuse a firewall or individual about who's scanning them? What's the main purpose of sending these 'fake' packets with different source addresses? – ssharma Nov 24 '17 at 05:01
  • 1
    By decoying on an array of previously set up hosts you can circumvent source based rate limiting that is meant to hinder scanning. As for all dual use tools: all black hat options are valid options for white hats as well when executing a penetration test that is scoped in the right way. – Tobi Nary Nov 24 '17 at 17:50
  • @SmokeDispenser `-D` decoy scans aren't the same as load balancing. Standard Nmap doesn't support load balancing like that, but you could check out dnmap or other wrappers that do it. – bonsaiviking Nov 24 '17 at 21:20
  • @bonsaiviking that is not what SmokeDispenser said. He stated that -D will circumvent source based rate limiting. This means e.g. firewalls blocking your packets because of too many connections without actual content based on your source ip. – Ben Nov 28 '17 at 13:52
  • @Ben He suggested that `-D` can be used to spread the scan across multiple source addresses, but what it does is *multiplies* the scan. Your own source will be used for every probe, in addition to sending probes "from" all of the decoy addresses. Source-based rate limiting is not affected in any way. – bonsaiviking Nov 28 '17 at 20:21

0 Answers0