Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

A new zombie port scanning attack

From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Wed, 09 Jun 2010 01:23:03 +0300
Hello nmap-dev.

As I promised in my last status report, I am writing about that new zombie
scan that I presented at athcon ( http://www.athcon.org/ ), a new security
conference in Athens, Greece.

In my presentation "Abusing Network Protocols" that I gave there, I
demonstrated a new stealthy port scanning attack that is made possible by
abusing XMPP. The technique uses a "zombie" host (that can be anyone in
your [most probably fake] friend/contact list) and some timing calculations
in order to conduct a portscan through that proxy to any target. The IP
address is never revealed to the scanned victim, the same way the famous
idle/zombie scan, discovered by antirez, works.
The idea, a proof of concept pidgin patch and a detailed analysis can be
read in the paper.

You can find the whitepaper here:
http://sock-raw.org/papers/abusing_network_protocols
and the presentation slides:
http://sock-raw.org/papers/anp_presentation.pdf

It is interesting to see how protocols like seemingly "innocent" protocols
like XMPP can still be abused to do things like the above attack.

Regards,
ithilgore


-- 
http://sock-raw.org
http://twitter.com/ithilgore
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: