Security Incidents mailing list archives

Re: mystery SF scan tool = Idlescan correlation

From: LiquidK <liquidk () LEECHER ORG>
Date: Fri, 17 Nov 2000 03:00:56 +0000

Hi,

 I have not found
the exact tool using IP ID 39426  in the wild, so I am surmising the
distribution is either extremely
limited or we're even dealing  with a single instance (that you, liquidK?).
Of course, I could just be looking in the wrong
places. :-)    I felt that the simplicity of the diffs between Idlescan and
this tool that recreates the mystery detects
warranted the posting of this correlation.   It seems likely someone has
taken Idlescan and made the improvements
on liquidK's todo list in the source code.  (If this turns out to be wrong,
please don't flame me.  If it's correct
and you wrote the code, stand up and be recognized for eluding that many IDS
guys for so long!)


        Not me :) Although if someone implemented the stuff in the TODO I would
be very interested in seeing those diff's :)
        Last version was alpha3, and that update was almost an year ago.
        There is one thing that reveals idlescan's portscans pretty quickly (at
least in my implementation). There are usually several probes on each port to
ensure the scan is accurate. For example, you will see something like the
following pattern.

        sensor1 -> victim:21
        sensor1 -> victim:21
        sensor1 -> victim:21
        sensor2 -> victim:22
        sensor2 -> victim:22
        sensor2 -> victim:22

        Or perhaps with a modified idlescan, something like:


        sensor1 -> victim:21
        sensor2 -> victim:22
        sensor3 -> victim:22
        sensor6 -> victim:21
        sensor5 -> victim:22
        sensor8 -> victim:21

        With only one probe at a port, and unless you are 100% sure the sensor is
idle, you cannot confirm that the ip.id increase was caused by sensor traffic or by
the rst reply of the sensor to an open port.

        If you need any help finishing your research project, don't hesitate to
contact me about idlescan.

For more information on Idlescan , see liquidK's code  from 1999 at
http://superbofh.org/idlescan.
It builds on theoretical analysis by antirez in 1998 posted to Bugtraq.
(Nice work there guys.)



        Unfortunately superbofh.org is no more.
        You can still get idlescan and the readme from www.hackers-pt.org,
packetstorm or technotronic.


--
Filipe Almeida
aka
LiquidK <liquidk () leecher org>

Current thread:

mystery SF scan tool = Idlescan correlation Bidwell, Teri K (Nov 14)
- Re: mystery SF scan tool = Idlescan correlation Stephen P. Berry (Nov 17)
  - Re: mystery SF scan tool = Idlescan correlation George Bakos (Nov 24)
- Re: mystery SF scan tool = Idlescan correlation LiquidK (Nov 18)
- <Possible follow-ups>
- Re: mystery SF scan tool = Idlescan correlation Joe Stewart (Nov 21)