Nmap Development mailing list archives
Semi-Idle Scanning... thoughts?
From: "matthew wollenweber" <mwollenweber () gmail com>
Date: Sat, 11 Aug 2007 00:50:41 -0400
Hey Guys, I'm new to the nmap-dev list, but I wanted to run an idea by you guys. Essentially, I thought I'd put a twist on Idle scanning to expand it's practical use. Sorry for being lazy, but below is a blog posting about the idea. Please let me know your thoughts Semi-Idle Scanning<http://www.cyberwart.com/blog/2007/08/10/semi-idle-scanning/> August 10th, 2007 The concept of idle scanning has been around for quite a while. I'm not sure how many people really understand it, but the basic principal is to send a syn packet to a target host with a spoofed the source IP of an idle host watch the IPID field. Generally the IPID increments by one every time a host gets a packet. If a host is known idle, than the IPID increases by one if the target responds with a syn-ack to the packet. The details of this can be found at http://insecure.org/nmap/idlescan.html However, it's been my experience that most hosts are very seldom *really*idle. Far more often they tend to be *almost* idle. This screws up idle scanning, but idle scanning should still work in principal — though you have to be a little trickier. Instead of waiting for a host to become idle, ping it regularly and establish a "heartbeat". If the heartbeat is fairly stable you can perform what I'm calling *semi-idle scanning.* Instead of sending one spoofed packet, send a statistically significant burst. If the heartbeat increases sufficiently than you know the target host responded to the semi idle host and therefore the port was open. Right now I've only significantly tested this with hping2, but I'm working on writing a wrapper around nmap's idle_scan.c. Currently it seems to work, but I'm only thresholding the values rather than using statistics. Really, I should compute the average heartbeat and the standard deviation. Then send a burst and see if I exceed the deviation. In this case, the host doesn't even really need to be semi-idle — traffic only needs to be statistically constant. However, this method is fairly slow so anything beyond "semi-idle" is REALLY slow. Thoughts? Comments? Source code to come shortly…. Thanks for any help you can provide. -- Matthew Wollenweber mwollenweber () gmail com | mjw () cyberwart com www.cyberwart.com _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Semi-Idle Scanning... thoughts? matthew wollenweber (Aug 10)