IP ID could allow to scan a masquerade network.

["Elie aka \"Lupin\" Bursztein" <elie () bursztein net>]

Hello,

I was working on a new implementation of the IPID scann (also known has
idle scan in the nmap man page or  pixie-scan as i call it)
During my test I think I discover a new way to use this type of scan :

Synopsis
 -------------

Using the gateway of a masquerade network as a witness (relay host) for the 
Pixie-scan,
allow remote scanning of the private network.

Details
-----------

On some stack implementation the IP ID field is incremental so by sending a 
spoofed SYN
packet to the gatway from a private network box and by comparing after the 
IP ID value
you could remotely know witch service are open on this intranet  computer 
even if this one is masquerade.
Of course the pixie-scan is a well known technique but this is this 
utilisation that is new.
For more detail about the pixie-scan i have written a paper witch will  be 
available around tomorow
evening at the following url : http://www.bursztein.net/secu/pixie.html

Affected version
-----------------------

I have tested the pixie-scan against with success :

- Win 2K service pack
- 3com Netbuilder

unsuccessfull attempt :

- Linux 2.4.x



sincerly,

Elie aka "Lupin" Bursztein
___________________________
icq  : 32228319
mail : secu () bursztein net
web  : www.bursztein.net/secu
___________________________
"He feel safe and at this very moment, i was lost... "