Penetration Testing mailing list archives

Re: Port Scanning.

From: robert () dyadsecurity com
Date: Wed, 22 Dec 2004 12:47:12 -0800

robert () dyadsecurity com(robert () dyadsecurity com)@Wed, Dec 22, 2004 at

The only thing that isn't currently easy to do is TCP full connection
payload injection from spoofed IP's.  We're working on a way to do
that though :).


I know it's bad form to follow up on your own post...  What I was
talking about in the last email was a way to actually introduce the TCP
3-way handshake (connection) payload stimulous to the remote IP from a
spoofed source.  This is currently difficult on modern stacks.

However, many IPS/IDS's don't keep track of state, and you can actually
get the PSH/ACK TCP payload to trigger many IPS's from spoofed sources
now. By skipping the 3-way-handshake, the remote IP will obviously not
treat it as part of an established connection, but if IPS trigger DoS
was your goal, who cares.

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033

Current thread:

Port Scanning. Faisal Khan (Dec 13)
- Re: Port Scanning. robert (Dec 13)
  - Message not available
    - Re: Port Scanning. robert (Dec 22)
    - Message not available
    - Re: Port Scanning. robert (Dec 22)
    - Re: Port Scanning. robert (Dec 22)
- Re: Port Scanning. Delron Troy (Dec 13)
- Re: Port Scanning. Jeffrey Denton (Dec 14)
- <Possible follow-ups>
- Re: Port Scanning. miguel . dilaj (Dec 13)
  - Message not available
    - Re: Port Scanning. Faisal Khan (Dec 13)
- RE: Port Scanning. Piskovatskov, Alexey (Dec 13)
  - RE: Port Scanning. rzaluski (Dec 14)
    - Re: Port Scanning. Martin Mačok (Dec 15)
- RE: Port Scanning. miguel . dilaj (Dec 14)
- RE: Port Scanning. Faisal Khan (Dec 14)
- Re: Port Scanning. infosecgod (Dec 15)