Nmap Development mailing list archives
Blind scanning using Broadcast ARP
From: "Josiah Zayner" <Josiah.Zayner () informony com>
Date: Sat, 9 Aug 2003 09:51:42 -0500
don't know if you guys have ever heard or thought of this but it just came to mind maybe it could be implemented in NMAP? Any questions just email me. -------------- Blind Scanning using ARP By Case (phric () legions org) Broadcast ARP scanning is based of the concept that when a packet is sent from host A to nonexistent host B, host B - 1 hop will send an arp broadcast in an effort to locate the location of host B. Voila commence BARP scans. So we should now understand the basic concept and be able to exploit this feature to perform blind port scans or ping scans. What we need A nonexistent host on our subnet - Host None A target host - Host Target Us - Host Us First we find a host on our subnet that does not exist, Host None. Now we forge a FIN packet from host none, to our target host.And we wait and listen for arp broadcasts. -Host Us sends TCP FIN or NULL, Forged IP SRC of Host None ---> Host target -Host Target sends TCP RST ---> Host in Route, 1 hop before Host None -Host in Route, 1 hop before Host None sends ARP Broadcast ---> Now if we receive a broadcast looking for the hardware address of Host None we know that the target host must have sent a packet back. Since FIN packets only return RSTs when the ports are closed we have found a closed port. Now if on the next packet sent no arp broadcast is snooped we know that the port is most likely open. The problem is the scan can be narrowed down to your subnet, the benefit is that is can be one of a number computers. example using tcpdump and IP Sorcery THANKS GUYS!. -Send packet to ssh returns nothing we can assume it is open 192.168.0.7.1993 > legions.org.ssh: F [tcp sum ok] 524637819:524637819(0) win 1346 (ttl 64, id 53339, len 40) -Send packet to Telnet it returns a RST we know by the ARP from the router 192.168.0.7.1993 > legions.org.telnet: F [tcp sum ok] 480732068:480732068(0) win 2957 (ttl 64, id 53332, len 40) arp who-has 192.168.0.7 tell 192.168.0.1 Now we NMAP to verify our results # nmap (V. 2.54BETA34) scan initiated Sun Jul 27 09:57:24 2003 as: nmap -sT -p22,23 www.legions.org Interesting ports on mail.legions.org (66.12.11.166): (The 1 port scanned but not shown below is in state: closed) Port State Service 22/tcp open ssh Remember though windows computers have features so this doesn't work.example code http://www.legions.org/~phric/arpscan.c I'm a chunky monkey from funkytown... Any question or comments email phric () legions org. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Blind scanning using Broadcast ARP Josiah Zayner (Aug 09)