Cyber Adversary Characterization: Auditing the Hacker Mind

After all this preparation, Sendai is ready to go after the three primary targets. First he must learn as much as possible about them. He starts with an intrusive Nmap scan. Red Hat 9 comes with Nmap 3.00, which is far out of date. Sendai grabs the latest version from www.insecure.org, then compiles and installs it into a directory hidden by Shrax. As for the options, Sendai will use -sS -P0 -T4 -v for the same reasons as for his previous scan. Instead of -F (scan the most common ports), Sendai specifies -p0-65535 to scan all 65,536 TCP ports. He will do UDP ( -sU) and IP-Proto ( -sO) scans later if necessary. Instead of -O for remote OS detection, -A is specified to turn on many aggressive options including OS detection and application version detection. Decoys ( -D) are not used this time because version detection requires full TCP connections, which cannot be spoofed as easily as individual packets. The -oA option is given with a base filename. This stores the output in all three formats supported by Nmap (normal human readable, XML, and easily parsed grepable). Sendai scans the machines one at a time to avoid giving the other organizations an early warning. He starts with the Italian company, leading to the following Nmap output.
# nmap -sS -P0 -T4 -v -A -p0-65535 -oA...