remove common pentest tools fingerprint
Inspired by al0ne/Nmap_Bypass_IDS, I listed some nmap scaner detactable fingerprint
USER_AGENT = stdnse.get_script_args('http.useragent') or "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
change nmap user-agent to other common user-agent
if (window)
tcp->th_win = htons(window);
else
tcp->th_win = htons(1024); /* Who cares */
nmap tcp scan defualt windows size is 1024
, it can be easyly detacted by IDS/IPS device
so it should be change to other value
local cookie = "mstshash=nmap"
change nmap
to other value
static u8 patternbyte = 0x43; /* character 'C' */
change 0x43
to other hex string
mstshash=nmap
change nmap
to other value
OPTIONS sip:nm
replace SIP method to other, like INVIKE
, and replace nm
to other string
SIP request messages
-- The URLs used to check 404s
local URL_404_1 = '/nmaplowercheck' .. os.time(os.date('*t'))
local URL_404_2 = '/NmapUpperCheck' .. os.time(os.date('*t'))
local URL_404_3 = '/Nmap/folder/check' .. os.time(os.date('*t'))
change nmap
to other string
- If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request.
so can set -PS22,135,445
flag to this behavior
./configure --without-zenmap --without-nmap-update --with-libssh2=included --with-localdirs --with-libpcre=included --with-libpcre=included --prefix=/Users/xxx/bin/nmap --with-openssl=/usr/local/Cellar/[email protected]/1.1.1d