RE: Spoofed scans

From: Joshua Wright (jwrightat_private)
Date: Wed Jan 09 2002 - 04:52:15 PST

  • Next message: Randy Taylor: "Re: how often do 0-days REALLY happen?"

    One should note that the example is not using "sequence numbers", but
    instead using the IP ID field.  Sequence numbers would (should) not be as
    predictable.  IP ID numbers _should_ not be so predictable, but try telling
    Microsoft that.
    
    Also check out the Pixie scanning tool, designed to perform this in an
    automated fashion at http://www.bursztein.net/secu/pixie.html.  The source
    file is actually a gzip'd file, although it only has a .tar extension.
    
    -Joshua Wright, GCIH
    Team Leader, Networks and Systems
    Johnson & Wales University
    Joshua.Wrightat_private 
    
    pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
    fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
    
    
    
    -----Original Message-----
    From: Gideon Lenkey [mailto:glenkey@infotech-nj.com]
    Sent: Tuesday, January 08, 2002 12:23 PM
    To: Paul M. Tiedemann
    Cc: incidentsat_private
    Subject: RE: Spoofed scans
    
    
    Since it seems to be in question, I'd like to address third party stealth
    scanning in more detail as some folks might not be fully aware of it's
    capabilities.
    
    The basic technique goes as follows, our bad guy MAL wants to scan his
    target ADENA for an open TCP port 22. He doesn't want any record of his
    connecting, so he finds a 'quiet' (meaning little or no traffic going to
    or from) computer preferably on a dial-up or DSL, we'll call this machine
    PATSY. His plan is to get relative sequence numbers from PATSY while
    spoofing TCP SYN packets to ADENA's TCP port 22 with PATSY as the source
    address. If 22 is open ADENA will reply to PATSY and MAL will notice a
    spike in MAL relative sequence numbers. MAL is pretty clever, so he not
    only spoofs packets from PATSY but also a random mix of other spoofed
    source addresses. MAL gets his information and his IP never talks to
    ADENA.
    
    Using hping as an example:
    
    First find (a) PATSY, a nice Windows machine idling on a DSL line is
    the perfect mark.
    
    ---------------------------------------------------------------------
    [root@foo]# hping -r PATSY
    HPING PATSY (eth0 PATSY): NO FLAGS are set, 40 headers + 0 data bytes
    len=46 ip=PATSY flags=RA seq=0 ttl=128 id=63510 win=0 rtt=10.2 ms
    len=46 ip=PATSY flags=RA seq=1 ttl=128 id=+256 win=0 rtt=0.7 ms
    len=46 ip=PATSY flags=RA seq=2 ttl=128 id=+256 win=0 rtt=0.6 ms
    len=46 ip=PATSY flags=RA seq=3 ttl=128 id=+256 win=0 rtt=0.6 ms
    len=46 ip=PATSY flags=RA seq=4 ttl=128 id=+256 win=0 rtt=0.7 ms
    ---------------------------------------------------------------------
    
    You'll notice the 'id+=256' field indicates steady increments in sequence
    numbers (Viva la Windows).
    
    Now spoof the source address of the scan and watch relative sequence
    numbers 'id=+'.
    
    ---------------------------------------------------------------------
    [root@foo]# hping ADENA -a PATSY -S -p 22
    ---------------------------------------------------------------------
    
    Nothing comes directly back because the source address is spoofed, but
    look at our session pinging PATSY. See the spike in the id field from 256
    to 512? Port 22 is open on ADENA. No spike means closed a closed port.
    
    ---------------------------------------------------------------------
    len=46 ip=PATSY flags=RA seq=51 ttl=128 id=+256 win=0 rtt=0.7 ms
    len=46 ip=PATSY flags=RA seq=52 ttl=128 id=+256 win=0 rtt=0.7 ms
    -> len=46 ip=PATSY flags=RA seq=53 ttl=128 id=+512 win=0 rtt=0.7 ms <-
    -> len=46 ip=PATSY flags=RA seq=54 ttl=128 id=+512 win=0 rtt=0.7 ms <-
    -> len=46 ip=PATSY flags=RA seq=55 ttl=128 id=+512 win=0 rtt=0.7 ms <-
    -> len=46 ip=PATSY flags=RA seq=56 ttl=128 id=+512 win=0 rtt=0.7 ms <-
    len=46 ip=PATSY flags=RA seq=57 ttl=128 id=+256 win=0 rtt=0.7 ms
    ---------------------------------------------------------------------
    
    When you add the possibility that the machines are half a world apart,
    tracking becomes, well difficult even if you're an optimist.
    
    The bottom line is, the attacker might not be in the group of IPs you
    observe scanning you.
    
    For a more detailed treatment of this technique see:
    
    	http://rr.sans.org/audit/hping2.php
    
    --Gideon
    
    On Mon, 7 Jan 2002, Paul M. Tiedemann wrote:
    
    /* A couple of words on spoofing should be mentioned.  Spoofing is almost
    /* always associated with dos attacks because the very act of spoofing means
    /* that they will not be receiving any packets back to their real ip
    address.
    /* I know there are ways to use spoofing to obscure the scanning machine but
    /* usually one of the ip addresses is the offender.  If you think the
    process
    /* through with port scanning it just doesn't make sense that the
    originating
    /* machine would not wish to receive any information about what ports are
    open
    /* on your machine.  That being said I think that if you are actually being
    /* port scanned you will find that one of the ip addresses you will see is
    the
    /* originating machine.
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 08:37:19 PST