Hi, I have uncovered a new tcp port scan method. Instead all others it allows you to scan using spoofed packets, so scanned hosts can't see your real address. In order to perform this i use three well known tcp/ip implementation peculiarities of most OS: (1) * hosts reply SYN|ACK to SYN if tcp target port is open, reply RST|ACK if tcp target port is closed. (2) * You can know the number of packets that hosts are sending using id ip header field. See my previous posting 'about the ip header' in this ml. (3) * hosts reply RST to SYN|ACK, reply nothing to RST. The Players: host A - evil host, the attacker. host B - silent host. host C - victim host. A is your host. B is a particular host: It must not send any packets while you are scanning C. There are a lot of 'zero traffic' hosts in internet, especially in the night :) C is the victim, it must be vulnerable to SYN scan. I've called this scan method 'dumb host scan' in honour of host B characteristics. How it works: Host A monitors number of outgoing packets from B using id iphdr. You can do this simply using hping: #hping B -r HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms -cut- ..
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:36 PDT