How can I scan open ports without being traced back
Depending on the environment of your scan and where the server is located etc. You may be able to accomplish this using a TCP Idle Scan - http://nmap.org/book/idlescan.html
You could also do your scanning via a proxy http://funoverip.net/2010/11/socks-proxy-servers-scanning-with-nmap/
Both the above methods are more covert but neither is completely untraceable so do consider this.
Also you should consider legality of port scanning a system unless you have permission to do so - http://nmap.org/book/legal-issues.html
To 'scan' ports, you need to send traffic to the port to get a response. But, beside Idle Scans and proxies to get other targets to send the traffic for you, there are 2 other covert options to enumerate a target's ports:
- passive sniffing
- get the target to tell you
Sniffing the network allows you view traffic to/from various ports. As sniffing is passive, you could not be traced. This depends on active traffic from ports during the sniffing window.
The other option is most likely outside expectation, but I include for completenes-sake: once you obtain access to a target, you can query the target to tell you what ports are available. You might get a shell on a vulnerable web server through port 80, then run netstat to see what other ports are listening and on what interfaces. Traffic to the target shell is over normal channels (web traffic) and although traceable, can easily get lost in the noise. This avenue of enumeration is not to be overlooked.
Both of these options require you to be close to the target or have an exploit vector, but they have been helpful to me in the past.
There are two ways to make the scan nearly untraceable (only if the system under attack hasn't been configured specifically for detecting scans).
- perform it over long time (1 port probe every 24h, or longer, preferably intermixed with legitimate traffic)
- perform it using multiple computers (preferably 1 port per computer/IP)
The first one will take a long time (during which the firewall configuration can change) or will require massive amount of computers (and can hit per IP blocks instead of port blocks).
Continuing the quantum physics references: this is similar to the Uncertainty Principle ;)