LaBrea

From: John Lampe (j_lampeat_private)
Date: Sun Oct 14 2001 - 06:39:28 PDT

Next message: John Lampe: "Re: LaBrea"

Next in thread: John Lampe: "Re: LaBrea"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Anyone experiencing troubles scanning through "LaBrea tarpitted" networks?  Does anyone see any value in adding a check which looks for tarpits (perhaps a modification of ping_host.nasl or some other preliminary nasl check)?  The code below has been working moderately well....

John Lampe

src = this_host();
dst = get_host_ip();
sport=3133;
dport=16504;
init_seq=2357;
init_ip_id = 1234;
filter = string("src port ", dport);

#our initial SYN packet
ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
                     ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,
                     ip_src:this_host());


tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,
                     th_flags:TH_SYN, th_seq:init_seq,th_ack:0,
                     th_x2:0, th_off:5, th_win:2048, th_urp:0);


rep =  send_packet(pcap_active : TRUE,
                    pcap_filter : filter,
                    pcap_timeout : 2,
                    tcp);



winsize = get_tcp_element(tcp:rep, element:"th_win");
if (winsize == 10) {
    display ("Labrea found\n");
    set_kb_item(name:"Host/dead", value:TRUE);
}

seq = get_tcp_element(tcp:rep, element:"th_seq");
ack = get_tcp_element(tcp:rep, element:"th_ack");


if (seq && ack) {

  myack = seq + 1;
  init_seq = init_seq + 1;
  init_ip_id = init_ip_id + 1;


  #our ACK to their SYN-ACK
  ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
                     ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,
                     ip_src:this_host());

  tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,
                     th_flags:TH_ACK, th_seq:init_seq,th_ack:myack,
                     th_x2:0, th_off:5, th_win:2048, th_urp:0);



  rep2 =  send_packet(pcap_active : TRUE,
                    pcap_filter : filter,
                    pcap_timeout : 2,
                    tcp);

  # handshake is complete
  # read in their window size
  # if they are in persist mode, we should now probe for window size

  ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
                     ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,
                     ip_src:this_host());

  tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,
                     th_flags:TH_ACK, th_seq:init_seq,th_ack:myack,
                     th_x2:0, th_off:5, th_win:2048, th_urp:0, data:"H");



  rep3 =  send_packet(pcap_active : TRUE,
                    pcap_filter : filter,
                    pcap_timeout : 2,
                    tcp);

  ack = get_tcp_element(tcp:rep3, element:"th_ack");
  winsize = get_tcp_element(tcp:rep3, element:"th_win");
  if ( (winsize==0) && (ack) ) {
      display("Labrea found\n");
      set_kb_item(name:"Host/dead", value:TRUE);
  }
}








John Lampe
https://f00dikator.hn.org/

Next message: John Lampe: "Re: LaBrea"
Next in thread: John Lampe: "Re: LaBrea"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 11:52:08 PDT