Bugtraqmailing list archives

By Date

By Thread

new tcp scan method

  Hi,        I have uncovered a new tcp port scan method.        Instead all others it allows you to scan using spoofed        packets, so scanned hosts can't see your real address.        In order to perform this i use three well known tcp/ip        implementation peculiarities of most OS:          (1) * hosts reply SYN|ACK to SYN if tcp target port is open,            reply RST|ACK if tcp target port is closed.          (2) * You can know the number of packets that hosts are sending            using id ip header field. See my previous posting 'about the ip            header' in this ml.          (3) * hosts reply RST to SYN|ACK, reply nothing to RST.        The Players:          host A - evil host, the attacker.          host B - silent host.          host C - victim host.        A is your host.        B is a particular host: It must not send any packets while          you are scanning C. There are a lot of 'zero traffic' hosts          in internet, especially in the night :)        C is the victim, it must be vulnerable to SYN scan.        I've called this scan method 'dumb host scan' in honour of host        B characteristics.        How it works:        Host A monitors number of outgoing packets from B using id iphdr.        You can do this simply using hping:#hping B -rHPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms-cut-...        As you can see, id increases are always 1. So this host have the        characteristics that host B should to own.        Now host A sends SYN to port X of C spoofing from B.        (using hping => 0.67 is very easy,http://www.kyuzz.org/antirez)        if port X of C is open, host C will send SYN|ACK to B (yes,        host C don't know that the real sender is A). In this        case host B replies to SYN|ACK with a RST.        If we send to host C a few of SYN it will reply to B with a few        of SYN|ACK, so B will reply to C a few of RST... so        we'll see that host B is sending packets!...-cut-60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=17 ttl=64 id=+1 win=0 time=96 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=18 ttl=64 id=+1 win=0 time=80 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=19 ttl=64 id=+2 win=0 time=83 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=20 ttl=64 id=+3 win=0 time=94 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=21 ttl=64 id=+1 win=0 time=92 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=22 ttl=64 id=+2 win=0 time=82 ms-cut-...        The port is open!        Instead, if port X of C is closed sending to C a few        of SYN spoofed from B, it will reply with RST to B, and        B will not reply (see 3). So we'll see that host B is not sending        any packet:...-cut-60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=52 ttl=64 id=+1 win=0 time=85 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=53 ttl=64 id=+1 win=0 time=83 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=54 ttl=64 id=+1 win=0 time=93 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=55 ttl=64 id=+1 win=0 time=74 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=56 ttl=64 id=+1 win=0 time=95 ms60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=57 ttl=64 id=+1 win=0 time=81 ms-cut-...        The port is closed.        All this can appear complicated to perform, but using two sessions        of hping on Linux virtual consoles or under X makes it more simple.        First session listen host B: hping B -r        Second session send spoofed SYN: hping C -a B -S        Sorry if my english is not so clear.        However this posting is not adequate to describe exaustively        this scan method, so i'll write a paper on this topic, specially        about how to implement this in a port scanner (i.e. nmap), and        about players characteristics and OS used.happy new year,antirez--Salvatore SanfilippoIntesis SECURITY LAB            Phone: +39-02-671563.1Via Settembrini, 35             Fax: +39-02-66981953I-20124 Milano  ITALY           Email: antirez () seclab com

By Date

By Thread

Current thread:

• OSS nice tmp raceStefan Laudat (Dec 16)
  • wordperfect 8 for linux securityEdsel Adap (Dec 18)
    • new tcp scan methodantirez (Dec 17)
    • Re: wordperfect 8 for linux securityDug Song (Dec 18)
    • Re: wordperfect 8 for linux securityKeith Owens (Dec 18)
    • Irc: another funny stuff. In some irc clients dcc may be hijacked.awgn () COSMOS IT (Dec 19)
    • ValueClick CGI VulnerabilityPhilip Stoev (Dec 19)
    • FTP.SODRE.NET Hacked... Eggdrop Modified..Geoffrey Huntley (Dec 19)
      • Re: FTP.SODRE.NET Hacked... Eggdrop Modified..Matt Hallacy (Dec 19)
    • ip header id patched.awgn () COSMOS IT (Dec 19)
    • ValueClickEllen (Dec 19)
  • Re: OSS nice tmp racePavel Kankovsky (Dec 18)
    • Re: OSS nice tmp raceDr. Mudge (Dec 18)
(Thread continues...)