NMap 'Gridsweep' Scan with Decoys

NMap 'Gridsweep' Scan with Decoys

The image shows a Nmap scan. It covers the middle half of class C network range (.64 to .192) and at the same time probes the popular ports at each address. It is a parallel network and port sweep with decoys to hide the true identity of the scanner - so it simultaneously address scans and port scans while spoofing other source addresses to obscure the scanners identity. The scan was generated by the Nmap command below:

nmap -sS -e lo -F -T5 --host-timeout 10m --max-retries 0 --initial-rtt-timeout 25ms --max-rtt-timeout 250ms --max-scan-delay 250ms --scan-delay 10ms --min-hostgroup 32 --max-hostgroup 32 -D,,

In summary, the command tells Nmap to SYN scan the middle half of the loop-back network (-sS -e lo) on common ports (-F) in a non-random manner (-r), and scan in parallel address blocks of 32 (--min-hostgroup 32 --max-hostgroup 32) while creating decoy packets with 3 spoofed addresses (-D,,

The data is visualised in IneVis, a time-animated interactive 3-D packet trace visualisation. InetVis supports, IP ICMP, TCP, and UDP. Essentially, it's a 3-D scatter-plot:

  • Green vertical y-axis: destination TPC/UDP port
  • Blue horizontal x-axis: destination IP address
  • Red horizontal z-axis: source IP address

In the sample image, the lines are 'sweeping' across popular ports at each address (in the direction of the blue axis). Note the concentration in the lower port range (bottom green axis) where most common service ports reside. The four identical 'columns' of activity are the sources (separated by red-axis). One of these is the true scanner, the other's are spoofed decoys. The image is shown with a 45 minute time-window and 'transparent' ageing which makes older packets fainter. The chosen colour scheme is by destination port.

InetVis was inspired by Stephen lau's Spinning Cube of Potential Doom. For more details about InetVis, see: http://www.cs.ru.ac.za/research/g02v2468/inetvis.html.