new tcp scan method

[antirez <antirez () seclab com>]

  Hi,

        I have uncovered a new tcp port scan method.
        Instead all others it allows you to scan using spoofed
        packets, so scanned hosts can't see your real address.
        In order to perform this i use three well known tcp/ip
        implementation peculiarities of most OS:

          (1) * hosts reply SYN|ACK to SYN if tcp target port is open,
            reply RST|ACK if tcp target port is closed.

          (2) * You can know the number of packets that hosts are sending
            using id ip header field. See my previous posting 'about the ip
            header' in this ml.

          (3) * hosts reply RST to SYN|ACK, reply nothing to RST.


        The Players:

          host A - evil host, the attacker.
          host B - silent host.
          host C - victim host.

        A is your host.
        B is a particular host: It must not send any packets while
          you are scanning C. There are a lot of 'zero traffic' hosts
          in internet, especially in the night :)
        C is the victim, it must be vulnerable to SYN scan.

        I've called this scan method 'dumb host scan' in honour of host
        B characteristics.


        How it works:

        Host A monitors number of outgoing packets from B using id iphdr.
        You can do this simply using hping:

#hping B -r
HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms
-cut-
..