Nmap Development mailing list archives
Re: [Paper] New Idle Scan Techniques
From: Henri Doreau <henri.doreau () greenbone net>
Date: Mon, 25 Apr 2011 17:57:06 +0200
2011/4/21 Fyodor <fyodor () insecure org>:
David just sent me a link to a research paper which discloses a couple novel port scanning techinques which are related to the Nmap idle scan (-sI) in that they are side channel attacks which don't require sending packets to the target from your real IP address. One of the techniques is based on TCP RST rate limiting and the other uses SYN cache behavior. Here is the paper: http://www.usenix.org/events/sec10/tech/full_papers/Ensafi.pdf
Hello, This paper is really cool! I gave a try at implementing the first technique (TCP RST rate limiting) within NSE. I have patched NSE to do so, adding a "scanrule" and a -sK option to enable script port scanning. This patch eases the development of prototypes to evaluate such new scanning techniques and could also be interesting to develop port scanning modules relying upon application layers. Such modules could leverage the NSE libraries for the corresponding protocols (scanner-ftp-bounce.nse would be nice, instead of having it in the core for instance). Both the script and the patch are just PoC but I would be glad to improve them if someone like the idea. Feedback welcome! Regards. -- Henri Doreau | Greenbone Networks GmbH | http://www.greenbone.net Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460 Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
Attachment:
nse_scan.diff
Description:
Attachment:
idlescan-rst.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Paper] New Idle Scan Techniques Fyodor (Apr 20)
- Re: [Paper] New Idle Scan Techniques Henri Doreau (Apr 25)