Basically the tool that i am going to present is based on Anitrez ideas. But i have developed a tool that is usable in the real world by adding packet round trip calculations (to optimize speed) and doing multiple retrys on possitives (to minimize false positives). The reason for my presentation is that this technique is very efficient especially in fooling IDS systems and it has until now been very little fuss about this technique. So i just wanted to demonstrate the technique to the broad public. My talk will focus mostly on the basic technique and how i got around all the false positives. I work quite alot with IDS monitoring and i have seen this tecnique used in the wild on several occations. so at least some black hat hackers allready have tools like this, so i thought it was time to share a tool with open source to the security community. The tool is written under windows 2000. The reason for this is that i wanted to learn their raw socket implementation and the fact that more and more people are using 2k as thair prime pen testing platform. I am right now working with ifdefs to get it to compile under linux. The tool will be released on the first day of BH. i will post the url here when it is released. I havent had a chance to look at fillipes tool yet as cant seem to download it. ----- Original Message ----- From: "Filipe Almeida" <filipeat_private> To: <netw3at_private>; <pen-testat_private> Sent: Friday, June 15, 2001 4:31 AM Subject: RE: Blind IP spoofing portscan tool? > > An interesting article on this: > http://www.sans.org/infosecFAQ/intrusion/spoof.htm > > My post to bugtraq: > http://www.securityfocus.com/templates/archive.pike?list=1&mid=37272 > > And atirez's post: > http://www.securityfocus.com/templates/archive.pike?list=1&mid=11581 > > -- > Filipe Almeida <filipeat_private> > Aka LiquidK > > > -----Original Message----- > > From: netw3at_private [mailto:netw3at_private] > > Sent: quarta-feira, 13 de Junho de 2001 22:05 > > To: pen-testat_private > > Subject: Blind IP spoofing portscan tool? > > > > In the mailing for the Black Hat briefings, there is > > mention of a "blind IP spoofing portscan tool" or > > something along those lines. I'm curious about this > > tool, what is it's name and what is the mechanism by > > which it works? I'd guess that it's something involving > > other elements of the IP stack or some tool that uses > > a 3rd party system to check IP ID's, sequence > > numbers, ICMP responses or something along those > > lines. > > > > I'd be interested to know more information, please > > share if you have this knowledge. > > > > PS - I'm moving to Chicago soon and looking for a > > good security job, anyone got any leads? > > > > Curt Wilson > > netw3at_private >
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 13:14:43 PDT