Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Spoof tricks & Tips ?

From: Tim <tim-security () sentinelchicken org>
Date: Mon, 5 Dec 2005 20:57:38 -0500
Hello Mark Sec,



Well, im testing a servers and i need to scan all the ports evading IDS ,
IPS, i dont want to see my IP real



Try reading your documentation more thoroughly.


~> man nmap
...
       -sI <zombie host[:probeport]>
              Idlescan: This advanced scan method allows
              for  a  truly  blind  TCP port scan of the
              target (meaning no packets are sent to the
              target   from   your   real  IP  address).
              Instead,  a  unique  side-channel   attack
              exploits predictable "IP fragmentation ID"
              sequence generation on the zombie host  to
              glean  information about the open ports on
              the target.  IDS systems will display  the
              scan as coming from the zombie machine you
              specify (which must be up and meet certain
              criteria).   I  wrote  an  informal  paper
              about this technique  at  http://www.inse-
              cure.org/nmap/idlescan.html .

              Besides   being  extraordinarily  stealthy
              (due to its blind nature), this scan  type
              permits  mapping  out IP-based trust rela-
              tionships  between  machines.   The   port
              listing shows open ports from the perspec-
              tive of the zombie host.  So you  can  try
              scanning  a  target  using various zombies
              that  you  think  might  be  trusted  (via
              router/packet  filter  rules).   Obviously
              this is crucial information  when  priori-
              tizing  attack  targets.   Otherwise,  you
              penetration testers might have  to  expend
              considerable  resources "owning" an inter-
              mediate system, only to find out that  its
              IP   isn't  even  trusted  by  the  target
              host/network you are ultimately after.

              You can add a colon  followed  by  a  port
              number  if  you wish to probe a particular
              port on the zombie host for IPID  changes.
              Otherwise  Nmap  will use the port it uses
              by default for "tcp pings".
...



tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: