Bluffing Network Scan Tools
What you see may not be what you get

A little paper to remind that automatic tools results are always
interpretation of incoming data. Tools expect a certain behaviour from systems, and will make some
assumptions. If you do not know this, you may be fooled by false positives or worse loose your valuable
time

Article published on 24 November 2015
last modification on 29 May 2016

by Emeric Nasi

Note: Note: Pentesting / Network security basics are recommended to understand this paper.

I Introduction.

I have often seen tutorials or even pro pentesters relying too much, if not uniquely on automatic
scanning tools. It may be due to lack of knowledge, or more often due to lack of available time.
Obviously when you have 5 week days to complete a full corporate pentest, you can only do your best,
and it won’t be perfect!
Anyway I just wanted to write a little something to remind that automatic tools results are always
interpretation of incoming data. Tools expect a certain behavior from systems, and will make some
assumptions. If you do not know this, you may be fooled by false positives or worse loose your valuable
time!

Just a quick example, when you successfully ping a machine, so you assume it’s alive. But in fact, it just
means you received and ICMP Echo Reply packet in answer to sending an ICMP Echo Request. This echo
reply could have been send by another machine than the targeted one. It can be part of a tarpit strategy!
Now let’s focus on some major features of security scan tools:

  • OS fingerprinting
  • Port Scanning
  • Banner grabbing.

If you wish to read more about this, the document can be downloaded in a PDF format