Bugtraq mailing list archives
idlescan (ip.id portscanner)
From: liquidk () SUPERBOFH ORG (LiquidK)
Date: Fri, 3 Dec 1999 19:20:46 +0000
Hello, Almost an year ago antirez made a post on bugtraq about a new portscanning method. For reference: 19981218074757.A990 () seclab com">http://www.securityfocus.org/templates/archive.pike?list=1&date=1998-12-15&msg=19981218074757.A990 () seclab com</A> For those who want to know the technical details read the former post or read the README file that comes with the scanner package. I haven't seen any pratical implementation of the scan, so I decided to write one to see how usable the method is in the real world. I reached the conclusion that this method is indeed quite usable (althought a little slow to account for packet propagation time). The main purpose of this program is to show the dangers of predictable ip.id packet numbering, so just don't expect a full-blown scanner. To run this program you will have to be able to reach one or more idle machines. Almost any device with an ip network interface will do: either printers, switchers, routers, windows or un*x with low network traffic, etc... but the current idlescan does not cope with some tcp stack implementations. Of course... you cannot use an OpenBSD for this ;) For the sake of simplicity I am calling sensors, the idle machines we are using as the fake source of the scans. By using this type of scanner, an attacker is able to fake portscans that appear as coming from the sensors, and is able to do it with a large network of distributed sensors, thus appearing to the target, that the attack is coming from a lot of different machines. If you don't understand how the method works, then don't bother downloading idlescan. This is only meant as a demonstration of some of the problems that come when you have a tcp/ip stack that has predictable ip.id increments. Don't forget as well that I bear no responsibility for the use of this program, you are on your own. usage: idlescan sensor1,sensor2,sensor3,... target [ -p port-range ] download sites: http://superbofh.org/idlescan/ http://www.hackers-pt.org/ptstuff/ Greetings and Thanks (in no particular order): antirez, kossak, fatzu, daz, the superbofh team, HPT, among many others not cited here. Cheers, LiquidK
Current thread:
- Re: [Re: Several FreeBSD-3.3 vulnerabilities] Brock Tellier (Dec 01)
- Re: [Re: Several FreeBSD-3.3 vulnerabilities] Robert Watson (Dec 02)
- UnixWare coredumps follow symlinks Brock Tellier (Dec 02)
- Apologies to USSRLABS Arvel Hathcock (Dec 03)
- idlescan (ip.id portscanner) LiquidK (Dec 03)
- Re: idlescan (ip.id portscanner) marvin () NSS NU (Dec 04)
- Re: Security Advisory: Buffer overflow in RSAREF2 Niels Provos (Dec 04)
- UnixWare pkg* command exploits Brock Tellier (Dec 04)