Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Semi-Idle Scanning... thoughts?

From: "matthew wollenweber" <mwollenweber () gmail com>
Date: Sat, 11 Aug 2007 00:50:41 -0400
Hey Guys,

I'm new to the nmap-dev list, but I wanted to run an idea by you guys.
Essentially, I thought I'd put a twist on Idle scanning to expand it's
practical use. Sorry for being lazy, but below is a blog posting about the
idea. Please let me know your thoughts

Semi-Idle Scanning<http://www.cyberwart.com/blog/2007/08/10/semi-idle-scanning/>
August
10th, 2007

The concept of idle scanning has been around for quite a while. I'm not sure
how many people really understand it, but the basic principal is to send a
syn packet to a target host with a spoofed the source IP of an idle host
watch the IPID field. Generally the IPID increments by one every time a host
gets a packet. If a host is known idle, than the IPID increases by one if
the target responds with a syn-ack to the packet. The details of this can be
found at http://insecure.org/nmap/idlescan.html

However, it's been my experience that most hosts are very seldom
*really*idle. Far more often they tend to be
*almost* idle. This screws up idle scanning, but  idle scanning should still
work in principal — though you have to be a little trickier. Instead of
waiting for a host to become idle, ping it regularly and establish a
"heartbeat". If the heartbeat is fairly stable you can perform what I'm
calling *semi-idle scanning.* Instead of sending one spoofed packet, send a
statistically significant burst. If the heartbeat increases sufficiently
than you know the target host responded to the semi idle host and therefore
the port was open.

Right now I've only significantly tested this with hping2, but I'm working
on writing a wrapper around nmap's idle_scan.c. Currently it seems to work,
but I'm only thresholding the values rather than using statistics. Really, I
should compute the average heartbeat and the standard deviation. Then send a
burst and see if I exceed the deviation. In this case, the host doesn't even
really need to be semi-idle — traffic only needs to be statistically
constant. However, this method is fairly slow so anything beyond "semi-idle"
is REALLY slow.

Thoughts? Comments?

Source code to come shortly….
Thanks for any help you can provide.

-- 
Matthew  Wollenweber
mwollenweber () gmail com | mjw () cyberwart com
www.cyberwart.com

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: