Re: [Paper] New Idle Scan Techniques

[Henri Doreau <henri.doreau () greenbone net>]

2011/4/21 Fyodor <fyodor () insecure org>:
> David just sent me a link to a research paper which discloses a couple
> novel port scanning techinques which are related to the Nmap idle scan
> (-sI) in that they are side channel attacks which don't require
> sending packets to the target from your real IP address.  One of the
> techniques is based on TCP RST rate limiting and the other uses SYN
> cache behavior.  Here is the paper:
>
> http://www.usenix.org/events/sec10/tech/full_papers/Ensafi.pdf
Hello,

This paper is really cool!

I gave a try at implementing the first technique (TCP RST rate
limiting) within NSE.

I have patched NSE to do so, adding a "scanrule" and a -sK option to
enable script port scanning. This patch eases the development of
prototypes to evaluate such new scanning techniques and could also be
interesting to develop port scanning modules relying upon application
layers. Such modules could leverage the NSE libraries for the
corresponding protocols (scanner-ftp-bounce.nse would be nice, instead
of having it in the core for instance).

Both the script and the patch are just PoC but I would be glad to
improve them if someone like the idea. Feedback welcome!

Regards.

-- 
Henri Doreau |  Greenbone Networks GmbH  |  http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner

Attachment: nse_scan.diff
Description:

Attachment: idlescan-rst.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/