Nmap Development mailing list archives
"Idle scan" using fragment cache
From: David Fifield <david () bamsoftware com>
Date: Tue, 26 Aug 2014 22:44:52 -0700
I learned of a neat new technique for an idle-like scan (that doesn't actually require the zombie to be idle). It was in work by Jeffrey Knockel and Jed Crandall presented at the FOCI workshop this year. It uses the IP fragment cache, where fragments wait until they can be reassembled. The scanning host first salts the target with fragments bearing different IP IDs, spoofed as if they come from the zombie. It then spoofs large echo requests from the target back to the zombie; the packets are large enough that the replies will be fragmented. The zombie replies to the echo requests with fragmented echo replies, using its own per-destination IP ID counter. If any of those replies happens to have the same IP ID as one of the previously planted probes in the cache, then it completes the packet and the probe is removed from the cache. A followup step measures how many cache entries were removed. After some iteration of this process you can learn the zombie's IP ID counter value. https://www.usenix.org/conference/foci14/workshop-program/presentation/knockel https://www.usenix.org/system/files/conference/foci14/foci14-knockel.pdf David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- "Idle scan" using fragment cache David Fifield (Aug 26)