I think SixthSense may be what you are refering to. It's available at
packetstorm, and other such places.
Here is the readme from the tarball:
SixthSense.pl
A while back antirez, in a post to Bugtraq, detailed a new Tcp portscan
method.
This method allows one to portscan a host, using spoofed packets, while
remaining totally invisible to the scanned host < almost as if u had a 6th
sense ;) >.
The details of the scan (almost totally stolen from antirez's original post)
works as follows...
(A) When an open tcp port recieves a SYN, it replies with a SYN|ACK
When a closed tcp port recieves a SYN, it replies with a RST|ACK
(B) When a host recieves an unknown SYN|ACK, it replies with a RST
When a host recieves an unknown RST, it replies with nothing
(C) You can tell the number of packets a host is sending by reading the ID
value in the ip header
What this means....
We send 4 packets to our dummy host, to port 0, with no tcp flags set, and
make a note of the incoming ip id's
***************************************
Scanning Dumb Host (for Dumbness)
33144
33145
33146
33147
***************************************
If the incoming id's do not show a consistant increase, the host is not dumb
enough to suit our purposes, and the scan aborts.
If the incoming id's show a constant single increment, then it is safe to
assume that the dummy host is not ac
tively talking/communicating to any other host (at this point in time)
We then send a spoofed packet (SYN) to our target host, on our target port,
on behalf of our Dummy.
***************************************
We Have a consistant 1 increment host
*** Injecting Spoofed Packet ***
***************************************
and once more track the incoming ip id's
***************************************
33148
33150
33152
33156
***************************************
Now, if the target port was closed, it would have replied with a RST, <as
mentioned in (A) earlier> and our Dummy would have responded with nothing
<as mentioned in B>
But, if the target port was open, it would have replied with a SYN|ACK (A),
causing our Dummy to reply with a RST. Dummy's ip id count, will now
increase, as it has been forced into conversation with Target.
***************************************
*** Yup looks like 22 is open on 196.10.XXX.38 ***
***************************************
As mentioned before, all credit to antirez, for his initial discovery of the
scan... SixthSense.pl just automates (what still is) a tedious process..
(SixthSense requires Net::RawIP, run ==> perl -MCPAN -e shell ==> install
Net::RawIP )
HTH,
Chris
-------------------------------------------------------------------
Chris Winter
Consultant
Security Practice
Mentor Technologies
cwinterat_private
-------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 10:49:36 PDT