Penetration Testing mailing list archives
RE: Blind IP spoofing portscan tool?
From: Yonatan Bokovza <Yonatan () xpert com>
Date: Thu, 14 Jun 2001 16:13:26 +0300
For the fast readers, two introductions to this subject are at: http://www.securiteam.com/securitynews/A_new_stealth_port_scanning_method.ht ml and at: http://www.sans.org/infosecFAQ/audit/hping2.htm They both refer to hping: http://www.kyuzz.org/antirez/hping.html and I remember at least one tool that's designed to do exactly that scan: http://packetstorm.securify.com/UNIX/scanners/6thSense.tgz IP_ID is a field in the IP packet header that is meant to be different for every fragment of packet, thereby helping the reciever to defrag a fragmented packet. Most OSs just increment it for every outgoing packet. OpenBSD, of course, randomize that. Linux kernel 2.4 (IIRC) use IP_ID of zero whenever the packet doesn't need fragmentation and sets the DF flag on. So if fragmentation is needed an ICMP_FragNeededButDon'tFragBitWasSet is received and the packet is resent, fragmented. FreeBSD has a patch, here: http://people.freebsd.org/~kris/ipid.patch . I don't know if it's committed yet, or ever will be. Windows has (yet again) a peculiarity, it uses a different byte ordering for the IP_ID, so you can use that as another method to identify Windows. Regarding other OSs, you'r welcome to enlighten me.
-----Original Message----- From: Curt Wilson [mailto:netw3 () netw3 com] Sent: Thursday, June 14, 2001 00:05 To: pen-test () securityfocus com Subject: Blind IP spoofing portscan tool? In the mailing for the Black Hat briefings, there is mention of a "blind IP spoofing portscan tool" or something along those lines. I'm curious about this tool, what is it's name and what is the mechanism by which it works? I'd guess that it's something involving other elements of the IP stack or some tool that uses a 3rd party system to check IP ID's, sequence numbers, ICMP responses or something along those lines. I'd be interested to know more information, please share if you have this knowledge. PS - I'm moving to Chicago soon and looking for a good security job, anyone got any leads? Curt Wilson netw3 () netw3 com
Current thread:
- Blind IP spoofing portscan tool? Curt Wilson (Jun 13)
- Re: Blind IP spoofing portscan tool? matheny (Jun 14)
- Re: Blind IP spoofing portscan tool? Jose Nazario (Jun 14)
- Re: Blind IP spoofing portscan tool? Enrique A. Sanchez Montellano (Jun 15)
- Re: Blind IP spoofing portscan tool? Jose Nazario (Jun 14)
- Re: Blind IP spoofing portscan tool? Enrique A. Sanchez Montellano (Jun 14)
- Re: Blind IP spoofing portscan tool? Chris Winter (Jun 14)
- RE: Blind IP spoofing portscan tool? Filipe Almeida (Jun 15)
- <Possible follow-ups>
- Re: Blind IP spoofing portscan tool? Alberto_Revelli (Jun 14)
- RE: Blind IP spoofing portscan tool? Yonatan Bokovza (Jun 14)
- RE: Blind IP spoofing portscan tool? thomas olofsson (Jun 18)
- What is your policy on customers particapating in a pen test? Joe Klein (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Meritt James (Jun 19)
- RE: What is your policy on customers particapating in a pen test? Ken Pfeil (Jun 21)
- Re: What is your policy on customers particapating in a pen test? GBH (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 19)
- RE: What is your policy on customers participating in a pen test? Ken Halbeck (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 20)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 22)
- What is your policy on customers particapating in a pen test? Joe Klein (Jun 19)
- Re: Blind IP spoofing portscan tool? matheny (Jun 14)