How to use Web Scanners Anonymously ?

[Skorpinok Rover]

Hello,

This is regarding web scanning just for sake of knowledge i would like to know , in Backtrack 5R3 if i scan a website using tools like nikto, will my ip get detected ? are there any ways to remain anonymous during a web scan ? well tor works for browsers i believe, so what about this ? please share with me if you have any idea regarding this :)

Regrads

Skorpinok

[no42]

Potentially, Yes. Depends if your target is log monitoring or has a dedicated SIEM.

Why don't you set up a quick backtrack box in the cloud (eg Amazon AWS)? Then delete it once you have finished.

[digip]

Configuring nikto not to use its default user agent for starters, 2 limiting its rate of scanning, 3, proxy chains, ssh tunnels, VPNs, and running all of it through TOR helps, but in the end, its going to show a shit ton of info on the sites access logs, and the IP the requests are coming from if sent directly at http servers. If scanning and they have any kind of IDS or other such WAF they might also ban the IP, redirect traffic back at yourself, or return false data on purpose. Tools like Project Artillery for instance, you try an nmap scan, it will return all ports open and even give you fake data returned to make nmap think they are live ports, but then it records your data and bans your IP, and adds it to its global database of of hostile IP addresses(which I think is over 30,000 now). We use it in our Attack Scanner plug-in to preempt attacking IP's of known attackers.

Scanning tools in general have their purpose, such as sanctioned scans done internally by an audit team on the corporate network who purposely use the tool to check for holes, but they are VERY noisy. If this is for a potential scan of your own network, would be fine, who cares about all the info you end up with on the logs, so long as you find the holes that need plugging. Against an unknown target you didn't get permission from, you are going to set off all kinds of bells and whistles that just leads a trail back to you. Stealth, recon, and identifying a true target with manual, spaced out checks done manually over a lengthy period of time, would be the way to go if you don't want to set off too many alerts, and also changing your IP address multiple times, each time you come back, as well as spoofed user agents, OS, etc, are all part of ways to make it look like normal drive by data.

If sitting at one machine for any lengthy scanning time without knowing what the tool does and what you are going to be sending to the target, you may as well walk over and knock on the door of the site owner and say "Hello, I'd like to be arrested now for I am about to attack your site and check it for vulnerabilities."

By the way, I had someone try a Nikto scan that generated 16mb of data back in November, all with the same user agent of Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:004742) so its EASILY seen on logs and will definitely be something you don't want to just point at any site willy nilly.

Edited February 17, 2013 by digip