Re: Blind IP spoofing portscan tool?

[matheny <matheny-pentest () dbaseIV net>]

Are you thinking of passive network mapping? That's the
closest thing I can think of to what you're talking
about. This manner of portscanning/network mapping requires
that you either already have access to a machine on the same
subnet as the machine you want to map (so you can sniff ISN
info) or the spoofed target has poor ISN generation
capabilities (NT, default solaris, 9x, etc). This method
of 'anonymous' port mapping has been around for some time,
standard technical dificulties associated with IP spoofing
still apply to this method however.
-Blake


Whatchu talkin' 'bout, Willis?
> In the mailing for the Black Hat briefings, there is 
> mention of a "blind IP spoofing portscan tool" or 
> something along those lines. I'm curious about this 
> tool, what is it's name and what is the mechanism by 
> which it works? I'd guess that it's something involving 
> other elements of the IP stack or some tool that uses 
> a 3rd party system to check IP ID's, sequence 
> numbers, ICMP responses or something along those 
> lines.
>
> I'd be interested to know more information, please 
> share if you have this knowledge.
>
> PS - I'm moving to Chicago soon and looking for a 
> good security job, anyone got any leads?
>
> Curt Wilson
> netw3 () netw3 com

--