"Idle scan" using fragment cache

[David Fifield <david () bamsoftware com>]

I learned of a neat new technique for an idle-like scan (that doesn't
actually require the zombie to be idle). It was in work by Jeffrey
Knockel and Jed Crandall presented at the FOCI workshop this year.

It uses the IP fragment cache, where fragments wait until they can be
reassembled. The scanning host first salts the target with fragments
bearing different IP IDs, spoofed as if they come from the zombie. It
then spoofs large echo requests from the target back to the zombie; the
packets are large enough that the replies will be fragmented. The zombie
replies to the echo requests with fragmented echo replies, using its own
per-destination IP ID counter. If any of those replies happens to have
the same IP ID as one of the previously planted probes in the cache,
then it completes the packet and the probe is removed from the cache. A
followup step measures how many cache entries were removed. After some
iteration of this process you can learn the zombie's IP ID counter
value.

https://www.usenix.org/conference/foci14/workshop-program/presentation/knockel
https://www.usenix.org/system/files/conference/foci14/foci14-knockel.pdf

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/