Re: Inverse Mapping Layout Through Scapy

["Aditya K Sood" <zeroKnock () metaeye Org>]

Hi ced
            Its very nice to have your response.
I ll get to ur point one by one.

0xa] First of all the inverse mapping , acc to standard is a
technique to check the host is alive or running services.This
is accomplished by sending a Reset flag to the destination.The
reset flag relates to almost connection closed  stats.This means
if the host is alive or having services , the host repond with
nothing or error message.The nothing tells us the host is alive
and some services are running.Error message says the host is down.
This is overall layout.

0xb] When we get to scapy the port i used is open at the target.
So i checked gainst it with reset packet , the scpay works it in
different way.If you look i used sr command instead of send which
means ia m going after send and recieve st same time.

   Look at this:
          send(<command stat>
          ans,unans=srloop(<coomand stats>)
          ans.summary() --> get to you to the answer of the packet sent.
          unans.summary() --> get to you to the unanswe response.

Since the sending of packet is going from the sender and its failing
because no "RA" or Another response is generated.The packet is totally
failed or getting rejected.This gives us an intimation regarding the
host alive and running services.The packet should fail in most of cases.

0xc] The question of padding is i used it in just a raw data to be
attached and to check it has some implications or not or whether
it is changing the output stats.

Example:- For syn scan if u set "S" packet with same stats you will
het "SA".If you try "F" , the closed port will reset it and open
port will not respond.






> Le mardi 27 février 2007 à 04:23 +0530, Aditya Sood a écrit :
> >                    Want to know your views about Inverse mapping with
> > padding through scapy.I have recently put a blog entry
> > http://zeroknock.blogspot.com/2007/02/inverse-mapping-via-packet-crafting.html
> > Throw more views in this aspect.
>
> Can you please be more specific about what you mean by "inverse
> mapping" ? I'm not familiar with this, and thus I don't get what you're
> trying to show by adding/removing *raw data* to your TCP RST...
>
> Especialy, what do you mean by "there's a skip in packet from the other
> side" ? Is it related to the one out of two "blank lines", that is in
> fact written using black color (shown with <- below) and thus being
> invisible on your black background ?
>
> > > srloop(IP(dst="www.google.com", ttl=64)/TCP(dport=80,
> flags="R")/"XXXXXXXX")
> fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
> fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
> fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
> fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
> fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
> fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
> fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
> fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
> fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
> send...
> Sent 9 packets, received 0 packets. 0.0% hits.
> (<Results: UDP:0 TCP:0 ICMP:0 Other:0>, <PacketList: UDP:0 TCP:9 ICMP:0
> Other:0>)
>
> If so, you should switch to Bob Marley display:
>
>       >>> conf.color_theme=RastaTheme()
>
> Then try again :)
>
> Note that IP()/TCP()/"XXXXXXXXX" adds "XXXXXXXXX" as raw TCP data. If
> you want to add padding, then you have to use the Padding method:
>
>       IP()/TCP()/Padding("XXXXXXXXX")
>
> Then you'll get something slightly different:
>
> > > > srloop(IP(dst="www.google.com", ttl=64)/TCP(dport=80,
> flags="R")/Padding("XXXXXXXXXX"))
> fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
> fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
> fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
> fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
> fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
> fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
> fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
> fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
> send...
> Sent 8 packets, received 0 packets. 0.0% hits.
> (<Results: UDP:0 TCP:0 ICMP:0 Other:0>, <PacketList: UDP:0 TCP:8 ICMP:0
> Other:0>)
>
>
> BTW, Scapy is indeed a wonderful tool.
>
>
> Regards.
>
>
> --
> http://sid.rstack.org/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> Cansecwest/core07 *WiFi (in)Security* Security Masters Dojo, Vancouver
> http://cansecwest.com/dojowifi.html (Scapy WiFi programming included ;)
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------


-- 
Aditya K sood
MetaEye Security Group.
[MSG]http://www.metaeye.org
[Zknk]http://zeroKnock.metaeye.Org
[Blog]http://zeroknock.blogspot.com

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------