Increasing anonymity

Sometimes it is essential to perform scans in an anonymous manner. The firewall and IDS logs can reveal your IP address if you perform a scan without using security measures. One such feature is provided in Nmap, called decoy (-D).

The decoy option does not prevent your IP address from getting recorded in the log file of firewalls and IDS, but it does make the scan look scary. It adds other torrents in the log files, thus creating an impression that there are several other attackers scanning the machine simultaneously. So, if you add two decoy IP addresses, the log file will show that the request packets were sent from three different IP addresses; one will be yours and the other two will be the fake addresses added by you:

msf > nmap -sT 192.168.216.10 -D 192.168.216.13,192.168.216.25

This scan example shows the use of a -D parameter. The IP addresses after the -D operator are the fake IP addresses, which will also appear in the network log files of the target machine, along with the original IP address. This process can confuse the network administrators and create suspicion in their mind that all three IP addresses are fake or spoofed. But adding too many decoy addresses can affect the scan results; hence, you should use a limited number of decoy addresses only.