Nmap Development mailing list archives
Re: A new zombie port scanning attack
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Thu, 10 Jun 2010 17:31:46 +0300
On 06/10/2010 04:36 PM, Richard Miles wrote:
Hi If i understood correctly, you need a server that support this XMPP service, so it's similar to a proxy, right?
Essentially, almost every XMPP server out there supports file-transfer (either with the Jingle protocol or the Session Initiation protocol). This means that you can use any of your 'fake' buddies or social engineered victims into acting as 'zombies' to scan your target.
There is a more generic way to do stealthy port scanning attack in order to conduct a portscan where the real IP is never disclosed ? I would be very useful to scan external and internal networks with reactive IPS that does nmap useless..
The good thing is that you can specify *any* kind of IP address in the proxy (scanned target) list you send to the zombie host. You can use that to scan hosts that are even behind NAT devices or otherwise restrictive firewalls. The disadvantage is that the technique is really slow. I don't know what you mean by a more generic way but what comes to mind is that if services like Facebook ever support file-transfer through XMPP, then this attack will become even more menacing (for obvious reasons). Regards, ithilgore
thanks On Tue, Jun 8, 2010 at 10:23 PM, ithilgore <ithilgore.ryu.l () gmail com> wrote:Hello nmap-dev. As I promised in my last status report, I am writing about that new zombie scan that I presented at athcon ( http://www.athcon.org/ ), a new security conference in Athens, Greece. In my presentation "Abusing Network Protocols" that I gave there, I demonstrated a new stealthy port scanning attack that is made possible by abusing XMPP. The technique uses a "zombie" host (that can be anyone in your [most probably fake] friend/contact list) and some timing calculations in order to conduct a portscan through that proxy to any target. The IP address is never revealed to the scanned victim, the same way the famous idle/zombie scan, discovered by antirez, works. The idea, a proof of concept pidgin patch and a detailed analysis can be read in the paper. You can find the whitepaper here: http://sock-raw.org/papers/abusing_network_protocols and the presentation slides: http://sock-raw.org/papers/anp_presentation.pdf It is interesting to see how protocols like seemingly "innocent" protocols like XMPP can still be abused to do things like the above attack. Regards, ithilgore -- http://sock-raw.org http://twitter.com/ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- http://sock-raw.org http://twitter.com/ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- A new zombie port scanning attack ithilgore (Jun 08)
- Re: A new zombie port scanning attack Richard Miles (Jun 10)
- Re: A new zombie port scanning attack ithilgore (Jun 10)
- Re: A new zombie port scanning attack Richard Miles (Jun 10)