Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A new zombie port scanning attack

From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Thu, 10 Jun 2010 17:31:46 +0300
On 06/10/2010 04:36 PM, Richard Miles wrote:

Hi

If i understood correctly, you need a server that support this XMPP
service, so it's similar to a proxy, right?


Essentially, almost every XMPP server out there supports file-transfer
(either with the Jingle protocol or the Session Initiation protocol). This
means that you can use any of your 'fake' buddies or social engineered
victims into acting as 'zombies' to scan your target.



There is a more generic way to do  stealthy port scanning attack  in
order to conduct a portscan where the real IP is never disclosed ? I
would be very useful to scan external and internal networks with
reactive IPS that does nmap useless..


The good thing is that you can specify *any* kind of IP address in the
proxy (scanned target) list you send to the zombie host. You can use that
to scan hosts that are even behind NAT devices or otherwise restrictive
firewalls. The disadvantage is that the technique is really slow. I don't
know what you mean by a more generic way but what comes to mind is that if
services like Facebook ever support file-transfer through XMPP, then this
attack will become even more menacing (for obvious reasons).

Regards,
ithilgore




thanks

On Tue, Jun 8, 2010 at 10:23 PM, ithilgore <ithilgore.ryu.l () gmail com> wrote:

Hello nmap-dev.

As I promised in my last status report, I am writing about that new zombie
scan that I presented at athcon ( http://www.athcon.org/ ), a new security
conference in Athens, Greece.

In my presentation "Abusing Network Protocols" that I gave there, I
demonstrated a new stealthy port scanning attack that is made possible by
abusing XMPP. The technique uses a "zombie" host (that can be anyone in
your [most probably fake] friend/contact list) and some timing calculations
in order to conduct a portscan through that proxy to any target. The IP
address is never revealed to the scanned victim, the same way the famous
idle/zombie scan, discovered by antirez, works.
The idea, a proof of concept pidgin patch and a detailed analysis can be
read in the paper.

You can find the whitepaper here:
http://sock-raw.org/papers/abusing_network_protocols
and the presentation slides:
http://sock-raw.org/papers/anp_presentation.pdf

It is interesting to see how protocols like seemingly "innocent" protocols
like XMPP can still be abused to do things like the above attack.

Regards,
ithilgore


--
http://sock-raw.org
http://twitter.com/ithilgore
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/




-- 
http://sock-raw.org
http://twitter.com/ithilgore
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: