idlescan (ip.id portscanner)

From: LiquidK (liquidkat_private)
Date: Fri Dec 03 1999 - 11:20:46 PST

Next message: Brock Sides: "Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise"

Previous message: Arvel Hathcock: "Apologies to USSRLABS"
Next in thread: marvinat_private: "Re: idlescan (ip.id portscanner)"
Reply: marvinat_private: "Re: idlescan (ip.id portscanner)"
Reply: Mullen, Patrick: "Re: idlescan (ip.id portscanner)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,
Almost an year ago antirez made a post on bugtraq about a new
portscanning method. For reference:
19981218074757.A990at_private">http://www.securityfocus.org/templates/archive.pike?list=1&date=1998-12-15&msg=19981218074757.A990at_private

For those who want to know the technical details read the former post
or read the README file that comes with the scanner package.
I haven't seen any pratical implementation of the scan, so I decided
to write one to see how usable the method is in the real world. I reached
the conclusion that this method is indeed quite usable (althought a little slow
to account for packet propagation time).
The main purpose of this program is to show the dangers of predictable
ip.id packet numbering, so just don't expect a full-blown scanner.
To run this program you will have to be able to reach one or more idle
machines. Almost any device with an ip network interface will do: either
printers, switchers, routers, windows or un*x with low network traffic, etc...
but the current idlescan does not cope with some tcp stack implementations.
Of course... you cannot use an OpenBSD for this ;)
For the sake of simplicity I am calling sensors, the idle machines
we are using as the fake source of the scans.
By using this type of scanner, an attacker is able to fake portscans
that appear as coming from the sensors, and is able to do it with a large
network of distributed sensors, thus appearing to the target, that the attack
is coming from a lot of different machines.
If you don't understand how the method works, then don't bother
downloading idlescan. This is only meant as a demonstration of some of the
problems that come when you have a tcp/ip stack that has predictable ip.id
increments. Don't forget as well that I bear no responsibility for the use of
this program, you are on your own.

usage:
idlescan sensor1,sensor2,sensor3,... target [ -p port-range ]

download sites:
http://superbofh.org/idlescan/
http://www.hackers-pt.org/ptstuff/

Greetings and Thanks (in no particular order):
antirez, kossak, fatzu, daz, the superbofh team, HPT, among many others
not cited here.

Cheers,
LiquidK

Next message: Brock Sides: "Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise"
Previous message: Arvel Hathcock: "Apologies to USSRLABS"
Next in thread: marvinat_private: "Re: idlescan (ip.id portscanner)"
Reply: marvinat_private: "Re: idlescan (ip.id portscanner)"
Reply: Mullen, Patrick: "Re: idlescan (ip.id portscanner)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:52 PDT