NMAP β
Port scanning is one of the first reconnaissance techniques used by hackers. It allows them to determine which ports are open, which protocols are running, and even the operating system of a target device. This information is then used to identify potential vulnerabilities.
NMAP is one of the most widely known tools for performing such scans. By detecting NMAP activity, Trapster can alert you at the earliest stage of a potential attack, helping you respond before further compromise occurs.
What This Plugin Does β
The NMAP plugin monitors your devices for NMAP scans, including:
- SYN Scan: Starts the TCP handshake but doesnβt complete it.
- FIN Scan: Only the FIN flag is set, typically used to indicate the end of a TCP connection.
- NULL Scan: No TCP flags are set.
- XMAS Scan: FIN, URG, and PSH flags are set.
- OS Scan: Uses a combination of TCP options, TTL values, and responses to malformed packets to determine the operating system.
These scans send packets to your ports and, based on the responses, can reveal open ports and protocols.
How does this work with Trapster? β
Once activated, this plugin uses NFTables (the successor to IPtables) to log packets that match NMAP scan patterns.
Traffic is not blocked as Trapster simply records scan activity.
Logged information includes :
- IP address of the scanner
- List of ports scanned
Note: This allows you to monitor reconnaissance attempts in real-time without impacting normal network traffic.
Read more about Plugins here :