RE: Blind IP spoofing portscan tool?

From: Yonatan Bokovza (Yonatanat_private)
Date: Thu Jun 14 2001 - 06:13:26 PDT

Next message: Dave Piscitello: "Re: SAP Security"

Previous message: Nicolas Gregoire: "Re: iXsecurity.tool.briiis.3.02"
Maybe in reply to: Curt Wilson: "Blind IP spoofing portscan tool?"
Next in thread: Chris Winter: "Re: Blind IP spoofing portscan tool?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For the fast readers, two introductions to this
subject are at:
http://www.securiteam.com/securitynews/A_new_stealth_port_scanning_method.ht
ml 
and at:
http://www.sans.org/infosecFAQ/audit/hping2.htm
They both refer to hping:
http://www.kyuzz.org/antirez/hping.html

and I remember at least one tool that's designed
to do exactly that scan:
http://packetstorm.securify.com/UNIX/scanners/6thSense.tgz

IP_ID is a field in the IP packet header that is meant
to be different for every fragment of packet, thereby
helping the reciever to defrag a fragmented packet.

Most OSs just increment it for every outgoing packet.
OpenBSD, of course, randomize that. Linux kernel
2.4 (IIRC) use IP_ID of zero whenever the packet doesn't
need fragmentation and sets the DF flag on. So if
fragmentation is needed an
ICMP_FragNeededButDon'tFragBitWasSet is
received and the packet is resent, fragmented.
FreeBSD has a patch, here:
http://people.freebsd.org/~kris/ipid.patch . I
don't know if it's committed yet, or ever will be.
Windows has (yet again) a peculiarity, it uses a
different byte ordering for the IP_ID, so you can
use that as another method to identify Windows.
Regarding other OSs, you'r welcome to enlighten me.

> -----Original Message-----
> From: Curt Wilson [mailto:netw3at_private]
> Sent: Thursday, June 14, 2001 00:05
> To: pen-testat_private
> Subject: Blind IP spoofing portscan tool?
> 
> 
> In the mailing for the Black Hat briefings, there is 
> mention of a "blind IP spoofing portscan tool" or 
> something along those lines. I'm curious about this 
> tool, what is it's name and what is the mechanism by 
> which it works? I'd guess that it's something involving 
> other elements of the IP stack or some tool that uses 
> a 3rd party system to check IP ID's, sequence 
> numbers, ICMP responses or something along those 
> lines.
> 
> I'd be interested to know more information, please 
> share if you have this knowledge.
> 
> PS - I'm moving to Chicago soon and looking for a 
> good security job, anyone got any leads?
> 
> Curt Wilson
> netw3at_private
>

Next message: Dave Piscitello: "Re: SAP Security"
Previous message: Nicolas Gregoire: "Re: iXsecurity.tool.briiis.3.02"
Maybe in reply to: Curt Wilson: "Blind IP spoofing portscan tool?"
Next in thread: Chris Winter: "Re: Blind IP spoofing portscan tool?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 10:39:56 PDT