Redcode Labs

Sign in

Automating the process of decoy scanning and source spoofing


nmap -D <host_1>,<host_2>,<host_N>… <target_host>

Each host is separated with a comma and passed after `-D` command-line flag.

The only drawback of this method is that each decoy host should be up and running to prevent SYN flooding of the target that is being scanned. Additionally, specifying each address by hand isn’t really time-efficient. That being said, we will try to perform the following:

  • Discover active hosts on current LAN
  • Specify discovered hosts with Nmap’s -D option in terminal

Let’s get started :>

Hosts discovery — Netenum

$ sudo ./ -t 2m -i wlp3s0 -w active_hosts.txt

Breaking down each argument and it’s meaning:

  • -t 2m flag instructs the sniffer to stop listening for new packets after two minutes.
  • -i wlp3s0 specifies wireless interface we want to listen on. You can find name of yours by running iwconfig command.
  • -w active_hosts.txt will save addresses to a text file after the sniffer finishes it’s work.

After hosts are written to a file, we can check if everything went right by inspecting contents of the newly created active_hosts.txt. Netenum provides some additional info about current network, such as its name, signal strength, MAC addresses and default gateway mark. When writing found hosts to a file, this tool also ensures that both multicast address ( and local IP address of our machine are omitted.

Hosts discovery — Nmap

Nmap scan report for <ip>

and for non-active hosts:

Nmap scan report for <ip> [host down]

It seems that all we have to do is to grep for occurrence of report for and invert grep of host down. Also, we should exclude each line that contains addresses that are enclosed with standard brackets, such as ( Full command:

$ nmap -sn -v -n | grep “report for” | grep -v “host down” | grep -v “(“

The -n flag is added to ensure that no DNS resolution is performed, so that only IP addresses are shown in the summary.

Almost done — output of the above command looks like this:

Nmap scan report for

Nmap scan report for

Nmap scan report for

Now we need to save entries of the last column to a file — we will achieve this using awk ‘{print $NF}’.

Final version:

$ nmap -sn -v | grep “report for” | grep -v “host down” | grep -v “(“ | awk ‘{print $NF}’ > active_hosts.txt

Note: Type of the discovery probe that is used in ping scan can be specified using `-PE, -PP` and `-PM` flags.

Passing discovered hosts to Nmap

$ paste -sd “,” <our_file>

  • -d flag enables us to select a non-default delimiter (default is a single TAB)
  • -s makes sure that the whole file is read at once

And now inside our Nmap command:

$ nmap -D $(paste -sd “,” active_hosts.txt) <target_host>

Note the presence of $() enclosing — it will be replaced with the output of the command rather than the command itself.

Spoofing source address with random active host

$ nmap -S $(shuf -n 1 active_hosts.txt) <target_host>

Parameter -n 1 instructs shuf to select one random line from the input file.

Spoofing source port for traffic blending

$ common_ports=(21 22 445 80 8080)

$ random_port=${common_ports[$[$RANDOM % ${#common_ports[@]}]]}

$ nmap -g $random_port <target_host>

Final words

Offensive Software House