Full Disclosure mailing list archives
Re: Idle scan rediscovered!!!
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Fri, 05 May 2006 19:33:00 +0200
Le vendredi 05 mai 2006 à 18:49 +0200, Cedric Blancher a écrit :
As standard 2.4/2.6 kernels behaviour is to set DF flag to 1, and IPID to 0, it's a very bad candidate for an idle host.
Mitigating this...
1. there's Marco Ivaldi finding posted on Bugtraq
2. There seem to be something with ACK packets to exploit for
idle-scanning:
hping3 -A -r host -p 80
Gives back exploitable incremental IPID on a Linux 2.6.15 box.
Note that default ip_conntrack_tcp_loose of 3 prevents theses packets to
get flaged as INVALID by conntrack.
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread!
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Idle scan rediscovered!!! Joel Jose (May 05)
- Re: Idle scan rediscovered!!! Tim (May 05)
- Re: Idle scan rediscovered!!! Cedric Blancher (May 05)
- Re: Idle scan rediscovered!!! Cedric Blancher (May 05)
- Re: Idle scan rediscovered!!! Tim (May 05)
- Re: Idle scan rediscovered!!! Cedric Blancher (May 05)
- Re: Idle scan rediscovered!!! rembrandt (May 05)
- Re: Idle scan rediscovered!!! Tim (May 05)
- Re: Idle scan rediscovered!!! Tim (May 05)
- Re: Idle scan rediscovered!!! Cedric Blancher (May 05)
- Re: Idle scan rediscovered!!! Tim (May 05)