Nmap Decoy Scans

Decoy scans can be used to evade detection by security systems and maintain anonymity while performing a scan. The need for decoy scans arises when a network administrator or security system uses IDSs or firewalls that monitor and block incoming traffic.

Let’s explore how we can perform Nmap decoy scans.

What is an Nmap decoy scan?

Nmap allows users to specify multiple decoy IP addresses that will be used along with the actual source IP address of the scan. This is useful for disguising the scan’s origin and evading detection by an IDS.

In a decoy scan, multiple IP addresses are sent to the target, including the source IP of the attacker. This makes it extremely hard to trace back to the attacker since the sysadmins have to follow every IP address that was sent with the decoy scan.

Decoy scanning is also known as parallel scanning or distributed scanning. For example, when we use the -D option in Nmap, it sends a spoofed packet from multiple IP addresses that we’ve specified, and the target will see the scan as coming from different IP addresses.

The core idea of a decoy scan is that if a network administrator sees multiple IP addresses scanning their network, they might be less likely to suspect that the scan is coming from a single host. This can be useful for penetration testers or security researchers who want to avoid detection while conducting a scan.

Here’s the syntax for the decoy scan: