Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Concepts: Security and Obscurity

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 8 May 2007 19:15:18 +0200
Sorry for the late reply, it took me a while to conduct my research. I
know the thread is officially closed, yet I hope the mods will approve
of this as my closing statement.

On 2007-04-17 Daniel Miessler wrote:

On Apr 17, 2007, at 12:28 PM, Ansgar -59cobalt- Wiechers wrote:

So if I'm scanning a class B for port 22 in order to unleash a
zero-day exploit, how do you propose I differentiate between the
dead network space (i.e. there's nothing there) vs. the systems that
just SEEM to not be there because I get no response?


You differentiate by the fact that for the former you *do* get a
response (destination-unreachable), whereas for the latter you don't.

Please read up on how TCP/IP actually works.


Yes, we're aware of the basics here, and now I ask that you scan a
class B and see if for every system that's NOT there you get back an
ICMP message like you're supposed to. I think you'll find that
reality doesn't correlate well with the RFC on this matter.


I took the liberty to perform a scan of 217.0.0.0/8. The results were as
follows:

Total addresses:                  65536

Echo reply:                        5458
Destination host unreachable:      3456
Destination net unreachable:      11908
Destination protocol unreachable:     1
Destination port unreachable:         3
Time to live exceeded:             4462
Source quench:                       18
Packet filtered:                    949
No reply:                         39281

It looks like about 60% of the hosts/routers on that address range don't
respond with any kind of ICMP message. Though that's not an actual
violation of RFC 791 it makes troubleshooting a lot harder and still
doesn't make a host appear as if it weren't there.


Getting back proper ICMP responses from "somewhere upstream" is hit
and miss, and therefore unreliable as a true indicator of a "hiding
system".


True, but besides the point. Only when you receive a "destination
unreachable" message you truly know the host is not there. In any other
case chances are it *is* there and just isn't responding properly (for
whatever reason). So, if I were to attack an address range, I'd just
throw my exploit at every address for which I hadn't received a
"destination unreachable".

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
Previous By Date Next
Previous By Thread Next

Current thread: