Bugtraq mailing list archives
Re: stealth port scanning
From: fyodor () DHP COM (Fyodor)
Date: Mon, 8 Sep 1997 06:14:23 -0400
-----BEGIN PGP SIGNED MESSAGE----- On Sun, 7 Sep 1997, Superuser (Duncan Simpson) wrote:
I discovered another bug. If you send a packet with FIN but not ACK set then Linux will disgard the packet if the port is listening and send RST if not.
Actually I discussed this (and provided code to implement it) in my Phrack 51 article. To quote it: The idea is that closed ports tend to reply to your FIN packet with the proper RST. Open ports, on the other hand, tend to ignore the packet in question. This is a bug in TCP implementations [...] Also, there seems to be a problem with your "patch". It basically adds the following line to tcp_input.c: printk("Warning: possible attempt at \"sleath\" port scaning: port %d, source IP %s\n", noths(skb->h.th->dest), in_ntoa(skb->nh.iph->saddr)); ^^^^^ Don't you mean 'ntohs'?? Also, you wrote:
When you see all the open ports from one IP address you have grounds for writing to the ISP and watch the cracker's account disappearing (in a puff of greasy green smoke, perhaps).
I don't think this is a good idea, for the same reason the SYN flood detecting code doesn't give IP addresses. It could easily be forged. In fact, nmap (my Phrack code) includes this as a feature. Suppose I don't like someone at 192.88.209.5. I could then do: payfonez~# ./nmap -US 192.88.209.5 target.com And your detectors will all go off blaming the wrong person. So if the ISP is ignorant, it might be an innocent person whose account dissappears "in a puff of greasy green smoke". Cheers, Fyodor - -- Fyodor 'finger fyodor () dhp com | pgp -fka' Frustrated by firewalls? Try nmap: http://www.dhp.com/~fyodor/nmap/ "Hacking is perceived by hackers as a "game." This is not an entirely unreasonable or sociopatic perception." --Bruce Sterling -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNBPQBBLa2GWS3jg1AQFTiwP8DfKndBdxsvmrD3eCqJClwLx/e2YglKx4 Mb3o5KN1+8GHpMcLNgLnuA55bYstX0k72RIi1gS24Qw+dFMlBA+WgxF9+aEJlAbG DwoChTig4yYiVzOMDDzv+N7GQ5SOUoYtKZa9uF8b6z3gAIhZEmxOxuTGgZ6t1cv1 RgsdQDneJC0= =bXkD -----END PGP SIGNATURE-----
Current thread:
- Re: stealth port scanning Fyodor (Sep 08)
- Re: stealth port scanning Duncan Simpson (Sep 08)
- Re: stealth port scanning Alan Cox (Sep 08)
- Security Bulletins Digest Aleph One (Sep 09)
- AIX bugfiler Aleph One (Sep 09)
- FTP compromise. Aleph One (Sep 09)
- OpenBSD Security Advisory: BSD I/O Signals Thomas H. Ptacek (Sep 14)
- Re: OpenBSD Security Advisory: BSD I/O Signals Alan Cox (Sep 15)
- Small bug in screen-3.7.1 gershwin (Sep 15)