Re: Idle scan rediscovered!!!

[Tim <tim-security () sentinelchicken org>]

> 2. There seem to be something with ACK packets to exploit for
>    idle-scanning:
>
>       hping3 -A -r host -p 80
>
> Gives back exploitable incremental IPID on a Linux 2.6.15 box.

Are you sure?  Just because the sequences are predictable or even
incremental for your source host doesn't mean it is exploitable.  This
is old information, but I would assume it is still the case (until
someone presents hard evidence otherwise):

"One good approach is to use connection or peer-specific IPID sequences.
 Solaris does this, and it severely limits the information attackers can
 glean about other connections. Linux 2.4 also uses peer-specific IPID
 values (see net/ipv4/inetpeer.c). In addition, Linux 2.4 zeros the IPID
 fields in packets with the DF (Don't Fragment) bit set. After all, IP
 defragmentation is the only critical use of the ID field. Another
 approach (used by OpenBSD) is to randomize the IPID sequence. This is
 difficult to get right -- be sure the sequence does not repeat and that
 individual numbers will not be used twice in a short period."

This quote is taken from:
  http://www.insecure.org/nmap/idlescan.html

So, if a host maintains a predictable sequence, but it maintains
independent sequences for each destination it sends packets to, then it
isn't exploitable.  I haven't tested it in recent Linux kernels myself,
but I also haven't seen anyone present solid evidence to the contrary of
this older information.

thanks,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/