Network anti-reconnaissance for fun and profit: Messing with Nmap presented at Security B-Sides Phoenix 2012

by Dan ( altf4 ) Petro,

Tags: Security

Summary : "Performing reconnaissance on a network is all too often simply given away to the attacker for free. Packet level inspection techniques like NIDS and firewalls are routinely evaded by Nmap. Network security tools therefore tend to ignore this problem and try to deny access to attackers(firewalls, NATs, DMZs, etc...) or detect intrusion payloads as they go by (NIDS, Antivirus, etc..). What we're missing is protection in the middle step: preventing and detecting reconnaissance.
Presented here is Nova, a new software tool for performing network anti-reconnaissance. It works by deploying a large array of thin virtual machines (modified honeyd) called the Haystack, which obfuscates the real network. It then uses machine learning techniques to analyze traffic and classify suspects, so that you don't have to go manually searching through mountains of log files like on your honeypot at home.
Come and see how you, too, can have fun messing with Nmap!"