Project Puchufy

NMAP – Discover Your Scan Footprint

When doing adversary emulation, it is important to keep track of your actions. It is important to be aware of how much traffic you are generating, especially if you need to avoid detection from monitoring solutions. Generating a large amount of traffic may trigger monitoring thresholds that can cause detection of your scan.

In this article, I will show how to determine the network traffic generated when scanning a host (or a network) using NMAP.

Setup IP Tables Rules

Add entries to the INPUT and OUTPUT chains:

iptables -I INPUT 1 -s <IP_ADDRESS_TO_SCAN> -j ACCEPT
iptables -I OUTPUT 1 -s <IP_ADDRESS_TO_SCAN> -j ACCEPT

Clear IPTABLES Record

Run this command to clear the records of captured packets in the iptables.

iptables -Z INPUT
iptables -Z OUTPUT

Run NMAP Scan

In this scan, we ran a basic nmap scan, which by default scans the top 1000 ports.

Check IP Tables

iptables -vn -L |grep '<IP_ADDRESS_SCANNED>'

From the basic nmap scan, there is a total of 88 bytes generated for the INPUT chain, and a total of 88 kilobytes for the OUTPUT chain.

Scanning More Ports

This time, 1-4000 ports were scanned:

Notice that the more ports were scanned, the more traffic is being generated.