current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Information Security Stack Exchange is a question and answer site for information security professionals. It's 100% free, no registration required.
up vote 2 down vote favorite

Are scripts coded only using the default API of a high level, interpreted language for generic and meticulous gathering of network device & host software information that are already available through common network security applications able to go unnoticed at times that common network security applications would set off alarms from packet inspection?

share|improve this question
1  
Do you mean like using a custom script using C and sockets vs. using nmap, to avoid detection? I would say that for network scanning and reconnaissance: no, generally the behavior will be similar enough to flag both. However, when it comes to exploitation, usually rewriting or obfuscating exploit payloads is a good way to bypass IDSs and AVs. –  Anorov Dec 21 '13 at 8:23
    
Ah that was the right word. "sockets". That is correct I wrote a port scanner in Java that also created sockets to identify services. Thanks. –  Christopher Basinger Dec 21 '13 at 12:10
    
I would give you "ups" but my reputation is still too low. –  Christopher Basinger Dec 21 '13 at 12:12

1 Answer 1

up vote 1 down vote accepted

A packet is a packet is a packet. There is no difference no matter how you generate it, be it using a tool like scapy or using a scripting language like Python or Ruby.

What matters is the frequency and contents of the packets you are sending out. For example, a IDS might get suspicious if you are hitting the system with multiple SYN packets on multiple ports, which is what happens if you use the default -sS flag on nmap. What a scripting language will allow you do to is specify exactly how many packets you want to send out how many times. This is a very flexible option that allows you to craft out your scans in a very fine-grained manner to avoid detection.

Of course, a tool like nmap has many options, including but not limited to the --max-rate and --max-retries flags that allow you to tune the scanning frequency. This may or may not be enough depending on the exact situation.

share|improve this answer
    
Thanks. I was wondering as I wrote a port scanner/banner grabbing script and I guess I was curious as to whether an application like Nmap would leave data in the packet that was able to be identified. I guess this makes sense if I stick to the fundamentals I know about the OSI model. You answered my question to the fullest. –  Christopher Basinger Dec 21 '13 at 12:08

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.