Bugtraq mailing list archives

idlescan (ip.id portscanner)

From: liquidk () SUPERBOFH ORG (LiquidK)
Date: Fri, 3 Dec 1999 19:20:46 +0000

Hello,
Almost an year ago antirez made a post on bugtraq about a new
portscanning method. For reference:
19981218074757.A990 () seclab
com">http://www.securityfocus.org/templates/archive.pike?list=1&date=1998-12-15&msg=19981218074757.A990 () seclab
com</A>

For those who want to know the technical details read the former post
or read the README file that comes with the scanner package.
I haven't seen any pratical implementation of the scan, so I decided
to write one to see how usable the method is in the real world. I reached
the conclusion that this method is indeed quite usable (althought a little slow
to account for packet propagation time).
The main purpose of this program is to show the dangers of predictable
ip.id packet numbering, so just don't expect a full-blown scanner.
To run this program you will have to be able to reach one or more idle
machines. Almost any device with an ip network interface will do: either
printers, switchers, routers, windows or un*x with low network traffic, etc...
but the current idlescan does not cope with some tcp stack implementations.
Of course... you cannot use an OpenBSD for this ;)
For the sake of simplicity I am calling sensors, the idle machines
we are using as the fake source of the scans.
By using this type of scanner, an attacker is able to fake portscans
that appear as coming from the sensors, and is able to do it with a large
network of distributed sensors, thus appearing to the target, that the attack
is coming from a lot of different machines.
If you don't understand how the method works, then don't bother
downloading idlescan. This is only meant as a demonstration of some of the
problems that come when you have a tcp/ip stack that has predictable ip.id
increments. Don't forget as well that I bear no responsibility for the use of
this program, you are on your own.

usage:
idlescan sensor1,sensor2,sensor3,... target [ -p port-range ]

download sites:
http://superbofh.org/idlescan/
http://www.hackers-pt.org/ptstuff/

Greetings and Thanks (in no particular order):
antirez, kossak, fatzu, daz, the superbofh team, HPT, among many others
not cited here.

Cheers,
LiquidK

Current thread:

Re: [Re: Several FreeBSD-3.3 vulnerabilities] Brock Tellier (Dec 01)
- Re: [Re: Several FreeBSD-3.3 vulnerabilities] Robert Watson (Dec 02)
- UnixWare coredumps follow symlinks Brock Tellier (Dec 02)
- Apologies to USSRLABS Arvel Hathcock (Dec 03)
- idlescan (ip.id portscanner) LiquidK (Dec 03)
  - Re: idlescan (ip.id portscanner) marvin () NSS NU (Dec 04)
  - Re: Security Advisory: Buffer overflow in RSAREF2 Niels Provos (Dec 04)
  - UnixWare pkg* command exploits Brock Tellier (Dec 04)