Network Anti-Reconnaissance: Messing with Nmap Through Smoke and Mirrors

DEF CON 20

Presented by: Dan Petro (AltF4)
Date: Friday July 27, 2012
Time: 15:00 - 15:20
Location: Track 4 / Turbo

Reconnaissance on a network has been an attacker's game for far too long, where's the defense? Nmap routinely evades firewalls, traverses NATs, bypasses signature based NIDS, and gathers up the details of your highly vulnerable box serving Top Secret documents. Why make it so easy?

In this talk, we will explore how to prevent network reconnaissance by using honeyd to flood your network with low fidelity honeypots. We then discuss how this lets us constrain the problem of detecting reconnaissance such that a machine learning algorithm can be effectively applied. (No signatures!) We will also discuss some important additions to honeyd that we had to make along the way, and perform a live demonstration of our free software tool for doing all of the above: Nova.

Dan Petro

Dan "AltF4" Petro: By day, Alt is a security researcher for DataSoft Corp, a small business in Scottsdale Arizona, where he focuses on developing open source tools for network security. He holds a M.S. in Information Assurance from Arizona State University where he studied network security and cryptographic protocols. By night, he is a rogue free software and privacy activist with a penchant for the dramatic. He is a lifelong hacker and regular member of the Phoenix 2600. Twitter: @2600AltF4


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats