Re: Idea for getting alot decoys

[Duarte Silva <duartejcsilva () gmail com>]

Sex, 2009-01-23 às 00:57 +0000, Brandon Enright escreveu:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 22 Jan 2009 23:03:50 +0000 or thereabouts Duarte Silva
> <duartejcsilva () gmail com> wrote:
>
> > Hi,
> >
> > I was using nmap against *some* server, and the firewall didn't allow
> > much. It is actually a well tided up server. To try to get a little
> > more of it I tried to use decoys. That's when I had a idea, why don't
> > we use torrents to get on-line and valid hosts as decoys? It's
> > possible to implement a minimal *client* that would announce us with
> > a certain torrent to the torrent tracker and get the peers IP for us
> > to use. Some torrents get up to thousands of peers, and that's a big
> > pool of IPs to choose from.
> > This would be represented by a command line option in nmap like "-tD
> > <input torrent>".
> > What do y'all think?
> >
> > Best regards,
> > Duarte Silva
> >
> > PS: I had this idea on top of my head now, didn't study the bitorrent
> > protocol yet, to check for the possibility of this.
> >
> > Oh forget to say hi! My first post :P
>
> Hi Duarte, thanks for contributing to the list!
>
> If I'm following your email right, the goal of your above suggestion,
> your idea isn't to exploit some property of the BitTorrent protocol to
> scan hosts, but just as a way of finding real, live hosts on the
> Internet.  The idea being that using live hosts as decoys is better
> than hosts not online.
>
> If that is the case, there isn't really anything special about
> BitTorrent that makes is well-suited for finding live hosts.  You could
> use DNS to find lots of live IPs, the list of Tor exit nodes, pretty
> much any list of IPs that are presumably online will do.  There are
> just so many ways to generate such a list.
>
> You could even gather the list of IPs passively, just run
> Wireshark/tcpdump on your Internet-facing interface (non RFC 1918) and
> wait for hosts to scan *you*.  Depending on how much your ISP filters,
> this might be a lot of hosts, really quick.
>
> Brandon
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
>
> iEYEARECAAYFAkl5FfAACgkQqaGPzAsl94JJagCghltj6nyQ6bOSx5zyO3czH7pL
> 8CUAn0CHpaJPoJHHbN3S+AhCrV76jy2H
> =QEFJ
> -----END PGP SIGNATURE-----

Hi Brandon,

Yes that's the general idea. But for instance, to get a *decoy* list
with nmap you will have to use -iR option (I might be mistaken, if so
correct me please). And then, get those IPs and use them in other
command where you actually would do the scan. This way you wouldn't have
to worry about getting the list first, because nmap would do it for you.
I reed the BitTorrent tracker announce protocol and the tracker will
send the peer IP list and port to you right away, as soon as you
announce yourself in the tracker. That's fairly fast and simple, the
process at least.
It's just a way of nmap doing a better work and doing it for you. I
choose BitTorrent because it seemed the one that is packed with more
diversity in terms of IPs. You could also use the port from each peer,
as a source port in the spoofed packet, that way it could seem more
concise (as I come to think about it, doesn't make much difference since
that port is for receiving connections and not making them lol). But
anyway, it will do some work for you.

Best regards,
Duarte Silva

Attachment: signature.asc
Description: Esta é uma parte de mensagem assinada digitalmente

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org