ok. i have the time so here is your info on the NMAP deal. again, this is old for me but maybe new to some of you because this concept is not documented, i had to learn it on my own


so to start off--the ONLY way you will ever spoof an IP and have any real value come of it is to be able to see the data coming back. the only way this can be done is with a direct route back to your subnet. one can either go the strict source route/loose source? or one can take control of router endpoints and create a GRE tunnel, or one can do the easier method which is an ARP poison on your subnet. the other methods i mention are either not used anymore or are almost impossible to perform these days

i will tell you how i did it back then. you can use a tool that creates the gratouitous ARP reply packets (i used one called STERM --a telnet console that performs an ARP hijack used for the session) you can use any tool that will send ARP reply packets. you can do a simple ping scan on your local subnet to see what hosts are available to hijack (ones not in use or ones running that are succeptible to an ARP table poisoning)

after using STERM to create the packet needed (ARP REPLY) you then fire up nmap and set your source as the subnet IP you just "borrowed". you also want to specify your interface, since nmap gets a bit picky about that

the finished product will look like the this>

nmap -v -n -sS -reason -max-retries 1 -S (ip of host you are ARP replying w/) -e eth0 (ip to scan)

the flags you see are the ones i use in nmap on a standard basis. keep in mind you are sometimes limited in how log you can "borrow" that IP you are using because the ARP table will eventually refresh or the gateway will eventually respond and cancel out your reply (proxy ARP) which in that case you simply go down the list of your subnet IPs and grab another

hope you guys enjoy all that!