Nmap Development mailing list archives
Re: A new zombie port scanning attack
From: Richard Miles <richard.k.miles () googlemail com>
Date: Thu, 10 Jun 2010 13:36:05 +0000
Hi If i understood correctly, you need a server that support this XMPP service, so it's similar to a proxy, right? There is a more generic way to do stealthy port scanning attack in order to conduct a portscan where the real IP is never disclosed ? I would be very useful to scan external and internal networks with reactive IPS that does nmap useless.. thanks On Tue, Jun 8, 2010 at 10:23 PM, ithilgore <ithilgore.ryu.l () gmail com> wrote:
Hello nmap-dev. As I promised in my last status report, I am writing about that new zombie scan that I presented at athcon ( http://www.athcon.org/ ), a new security conference in Athens, Greece. In my presentation "Abusing Network Protocols" that I gave there, I demonstrated a new stealthy port scanning attack that is made possible by abusing XMPP. The technique uses a "zombie" host (that can be anyone in your [most probably fake] friend/contact list) and some timing calculations in order to conduct a portscan through that proxy to any target. The IP address is never revealed to the scanned victim, the same way the famous idle/zombie scan, discovered by antirez, works. The idea, a proof of concept pidgin patch and a detailed analysis can be read in the paper. You can find the whitepaper here: http://sock-raw.org/papers/abusing_network_protocols and the presentation slides: http://sock-raw.org/papers/anp_presentation.pdf It is interesting to see how protocols like seemingly "innocent" protocols like XMPP can still be abused to do things like the above attack. Regards, ithilgore -- http://sock-raw.org http://twitter.com/ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- A new zombie port scanning attack ithilgore (Jun 08)
- Re: A new zombie port scanning attack Richard Miles (Jun 10)
- Re: A new zombie port scanning attack ithilgore (Jun 10)
- Re: A new zombie port scanning attack Richard Miles (Jun 10)