How to Hide Your Nmap Scans

Network scans generate a lot of noise, and generally you may not want to get detected/caught while performing a network scan. Intrusion detection systems (IDS) such as Snort generally log the network activity and can therefore detect most network scans. The following guide suggests some of the possible methods used to reduce the noise generated by a network scan.


Option 1 - Use a Decoy Scan

This is generally the most effective method to hide your Nmap scans. Nmap has the -D option, which is known as decoy scan. With -D option it appears to the IDC on the remote target machine that there are several hosts scanning the target simultaneously. The target IDS might report 5-10 port scans from several unique IP addresses, but they won't know which is the IP that was actually scanning and which ones were decoys.

It is good practice to use actual IPs of existing machines for the decoys, not fictional and made-up ones, as it might result in a SYN flood due to the fact that the target machine will not get a RST.

However, a shortfall of this method is that it might generate large amounts of packets due to the decoys. Remember if we use 4 decoys, the traffic generating during the scan will be 4 times more compared to the usual SYN scan.

Use the following syntax to perform a Decoy scan, where IPs 192.168.1.1-4 are decoys and 127.0.0.1 is the target machine

nmap –sS –D 192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4 127.0.0.1

Option 2 - Changing the Time interval

Another possible method is to randomise the scan, which would involve changing the timing and scan interval. Nmap has a couple of timing options that controls the intervals between each packet sent. This way, the scans will be lost in all the other legitimate traffic and not as easily detected.

The timing options to be appended after the –T option :

1. Paranoid – one packet sent every 5 minutes
2. Sneaky – one packet sent every 15 seconds
3. Polite – one packet sent every 0.4 seconds
4. Normal – as quickly as possible
5. Aggressive – waits 1.25 seconds for a response
6. Insane – waits 0.3 seconds for a response

The syntax below highlights the example of a nmap scan which sends out a packet every 15 seconds when the Sneaky option is used:

nmap –sS –T Sneaky 127.0.0.1

Option 3 - Randomise Hosts

The –-randomize-hosts option rearranges the group of hosts in an nmap scan. Groups of 2,048 hosts at a time are randomly chosen, making the entire scan less conspicuous when examining traffic patterns. This can make the scans less obvious to various network monitoring systems and IDS, especially used in combination with slow timing options. But do note that this method only works if you are scanning several hosts at once.

The syntax below highlights a combination usage of random hosts and change of time interval between scans:

nmap -sS -T Sneaky --randomize-hosts 127.0.0.1-20

Option 4 - Using a Zombie

This method is also known as the "idle scan" method. This tells Nmap to do a ping sweep and show all hosts that are up in the given IP range. Once a zombie is found, nmap uses port 1234 on the IP 192.168.1.1 as a zombie to scan the target machine 127.0.0.1

nmap -P0 -sS 192.168.1.1:1234 127.0.0.1

Read more on idle scanning here


Note: IP Spoofing is another approach widely used in the network security industry, but it will not work in Nmap, ( even though nmap has the spoof IP function), due to the fact that the SYN/ACK reply packets from the target machine will not be sent to your machine, instead it will be sent to the spoof-ed IP address.