RE: Blind IP spoofing portscan tool?

["thomas olofsson" <thomas.olofsson () defcom com>]

Basically the tool that i am going to present is based on Anitrez ideas.
But i have developed a tool that is usable in the real world by adding
packet round trip calculations (to optimize speed) and doing multiple retrys
on possitives (to minimize false positives).

The reason for my presentation is that this technique is very efficient
especially in fooling IDS systems and it has until now been very little fuss
about this technique. So i just wanted to demonstrate the technique to the
broad public. My talk will focus mostly on the basic technique and how i got
around all the false positives.

I work quite alot with IDS monitoring and i have seen this tecnique used in
the wild on several occations. so at least some black hat hackers allready
have tools like this, so i thought it was time to share a tool with open
source to the security community.

The tool is written under windows 2000. The reason for this is that i wanted
to learn their raw socket implementation and the fact that more and more
people are using 2k as thair prime pen testing platform. I am right now
working with ifdefs to get it to compile under linux.

The tool will be released on the first day of BH. i will post the url here
when it is released. I havent had a chance to look at fillipes tool yet as
cant seem to download it.


----- Original Message -----
From: "Filipe Almeida" <filipe () ist utl pt>
To: <netw3 () netw3 com>; <pen-test () securityfocus com>
Sent: Friday, June 15, 2001 4:31 AM
Subject: RE: Blind IP spoofing portscan tool?

> An interesting article on this:
> http://www.sans.org/infosecFAQ/intrusion/spoof.htm
>
> My post to bugtraq:
> http://www.securityfocus.com/templates/archive.pike?list=1&mid=37272
>
> And atirez's post:
> http://www.securityfocus.com/templates/archive.pike?list=1&mid=11581
>
> --
> Filipe Almeida <filipe () rnl ist utl pt>
> Aka LiquidK
>
> > -----Original Message-----
> > From: netw3 () netw3 com [mailto:netw3 () netw3 com]
> > Sent: quarta-feira, 13 de Junho de 2001 22:05
> > To: pen-test () securityfocus com
> > Subject: Blind IP spoofing portscan tool?
> >
> > In the mailing for the Black Hat briefings, there is
> > mention of a "blind IP spoofing portscan tool" or
> > something along those lines. I'm curious about this
> > tool, what is it's name and what is the mechanism by
> > which it works? I'd guess that it's something involving
> > other elements of the IP stack or some tool that uses
> > a 3rd party system to check IP ID's, sequence
> > numbers, ICMP responses or something along those
> > lines.
> >
> > I'd be interested to know more information, please
> > share if you have this knowledge.
> >
> > PS - I'm moving to Chicago soon and looking for a
> > good security job, anyone got any leads?
> >
> > Curt Wilson
> > netw3 () netw3 com