Security Basics mailing list archives
Re: Concepts: Security and Obscurity
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 8 May 2007 19:15:18 +0200
Sorry for the late reply, it took me a while to conduct my research. I know the thread is officially closed, yet I hope the mods will approve of this as my closing statement. On 2007-04-17 Daniel Miessler wrote:
On Apr 17, 2007, at 12:28 PM, Ansgar -59cobalt- Wiechers wrote:So if I'm scanning a class B for port 22 in order to unleash a zero-day exploit, how do you propose I differentiate between the dead network space (i.e. there's nothing there) vs. the systems that just SEEM to not be there because I get no response?You differentiate by the fact that for the former you *do* get a response (destination-unreachable), whereas for the latter you don't. Please read up on how TCP/IP actually works.Yes, we're aware of the basics here, and now I ask that you scan a class B and see if for every system that's NOT there you get back an ICMP message like you're supposed to. I think you'll find that reality doesn't correlate well with the RFC on this matter.
I took the liberty to perform a scan of 217.0.0.0/8. The results were as follows: Total addresses: 65536 Echo reply: 5458 Destination host unreachable: 3456 Destination net unreachable: 11908 Destination protocol unreachable: 1 Destination port unreachable: 3 Time to live exceeded: 4462 Source quench: 18 Packet filtered: 949 No reply: 39281 It looks like about 60% of the hosts/routers on that address range don't respond with any kind of ICMP message. Though that's not an actual violation of RFC 791 it makes troubleshooting a lot harder and still doesn't make a host appear as if it weren't there.
Getting back proper ICMP responses from "somewhere upstream" is hit and miss, and therefore unreliable as a true indicator of a "hiding system".
True, but besides the point. Only when you receive a "destination unreachable" message you truly know the host is not there. In any other case chances are it *is* there and just isn't responding properly (for whatever reason). So, if I were to attack an address range, I'd just throw my exploit at every address for which I hadn't received a "destination unreachable". Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (May 08)