Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Dynamic Port Scanner [DPS] a reliable spoofed source IP P.S.

From: AR Samhuri <ar () securebits org>
Date: Sat, 15 Nov 2008 06:49:31 -0500
Subject:    Dynamic Port Scanner [DPS] v1.5 tool release
Homepage:   http://www.securebits.org/dps.html
Download:   http://www.securebits.org/projects/dps-v1.5.tar.gz
=================================================================================

Dynamic Port Scanner -  A Reliable Spoofed Source IP Port Scanner
-----------------------------------------------------------------

0x01 Introduction

The sole idea of the Dynamic Port Scanner (DPS) is to provide a reliable
spoofed source IP port scanner. The spoofed source IP is dynamically generated
at run time and it varies for every scan packet; every scan packet carries a
random spoofed source IP. Traditionally, a port scan with a spoofed source IP
has been considered unreliable due to the fact that reply packets would not
reach back the scanning system. However, the technique used by DPS ensures the
reliability of such spoofed scan. This technique is based on the integration of 
ARP Poisoning into port scanning to achieve the desired result. The spoofed IP
addresses used by DPS during a scanning process fall within the range of the
local subnet. Thus, DPS is best suited for internal scanning.

0x02 Features

    * DPS V 1.5 is a multi-threaded application. It creates upto THREADS_MAX
      threads at once. Each thread scans a port and does the corresponding ARP
      Poisoning.
    * DPS differentiates between a scanned host withing the local net and a
      host outside the local net. If the scanned host is within the local net,
it is the target of ARP poisoning. If not, the gateway/router will be the 
      target of ARP poisoning.
    * The spoofed source IP will never match the IP of the scanned machine if
      it is within the local net. The reason is that one cannot ARP-poison a
      host with fake info about the machine itself.
    * DPS features 10 different TCP stealth scanning techniques. These are:
      SYN, FIN, NULL, ACK, URG, PSH, XMAS, XMAS1, XMAS2, XMAS3.
    * DPS is built on top of Libpcap and Libnet

0x03 Code

    * dps-v1.5.tar.gz (Multi-threaded and optimized)
      [http://www.securebits.org/projects/dps-v1.5.tar.gz]
    * dps-v1.1.tar.gz (performs sequential scan)
      [http://www.securebits.org/projects/dps-v1.1.tar.gz]

0x04 Examples

    * Example 1: The default option will scan the ports 1-1024 using SYN scan
                 type.

      suse2:/home/ar/dps-v1.5 # dps 10.1.10.239
      ============================================================
      Dynamic Port Scanner [DPS] version 1.5
      A Reliable Spoofed Source IP Port Scanner
      Copyright (c) 2006 - 2008 AR Samhuri
      ============================================================
      =========================== SCAN RESULT ===========================
      Scanned Host: 10.1.10.239 (10.1.10.239)
      Scan Type: TCP SYN Scan [____S_]
      Total Scan Time: 109 seconds
      Number of scanned ports: 1024
      { [open 3] [filtered 1021] }
      ---- ------ ------- ---------------
      port status service used spoofed IP
      ---- ------ ------- ---------------
      135 open epmap 10.1.10.124 (10.1.10.124)
      139 open netbios-ssn 10.1.10.51 (10.1.10.51)
      445 open microsoft-ds 10.1.10.75 (10.1.10.75)
      The rest of the ports are filtered

   * Example 2: Scanning a host using ACK scan type and verbosity = 1
suse2:/home/ar/dps-v1.5 # dps -v -t A -p 53,80,88,21,22,135,139,445,464 10.1.0.74 
      ============================================================
      Dynamic Port Scanner [DPS] version 1.5
      A Reliable Spoofed Source IP Port Scanner
      Copyright (c) 2006 - 2008 AR Samhuri
      ============================================================
      Initializing DPS...
      Starting Scanning...
      Port 80 [UNFILTERED]
      Port 88 [UNFILTERED]
      Port 135 [UNFILTERED]
      Port 21 [UNFILTERED]
      Port 22 [UNFILTERED]
      Port 139 [UNFILTERED]
      Port 445 [UNFILTERED]
      Port 464 [UNFILTERED]
      Port 53 [UNFILTERED]
      Ending Scanning...
      =========================== SCAN RESULT ===========================
      Scanned Host: 10.1.0.74 (10.1.0.74)
      Scan Type: TCP ACK Scan [_A____]
      Total Scan Time: 2 seconds
      Number of scanned ports: 9
      { [unfiltered 9] }
      All the ports are unfiltered

   * Example 3: Scanning a host using SYN scan type and verbosity = 2
suse2:/home/ar/dps-v1.5 # dps -vv -p 80,88,21,22,135,139,445,464 10.1.0.76 
      ============================================================
      Dynamic Port Scanner [DPS] version 1.5
      A Reliable Spoofed Source IP Port Scanner
      Copyright (c) 2006 - 2008 AR Samhuri
      ============================================================
      Initializing DPS...
      Starting Scanning...
      PORT [80] SPOOFED IP [10.1.10.87] STATUS [closed]
      PORT [88] SPOOFED IP [10.1.0.76] STATUS [open]
      PORT [21] SPOOFED IP [10.1.10.98] STATUS [closed]
      PORT [22] SPOOFED IP [10.1.10.34] STATUS [closed]
      PORT [139] SPOOFED IP [10.1.10.109] STATUS [open]
      PORT [135] SPOOFED IP [10.1.0.76] STATUS [open]
      PORT [445] SPOOFED IP [10.1.0.76] STATUS [open]
      PORT [464] SPOOFED IP [10.1.10.106] STATUS [open]
      Ending Scanning...
      =========================== SCAN RESULT ===========================
      Scanned Host: 10.1.0.76 (10.1.0.76)
      Scan Type: TCP SYN Scan [____S_]
      Total Scan Time: 2 seconds
      Number of scanned ports: 8
      { [open 5] [closed 3] }
      ---- ------ ------- ---------------
      port status service used spoofed IP
      ---- ------ ------- ---------------
      80 closed http 10.1.10.87 (10.1.10.87)
      88 open kerberos 10.1.10.81 (10.1.10.81)
      21 closed ftp 10.1.10.98 (10.1.10.98)
      22 closed ssh 10.1.10.34 (10.1.10.34 )
      135 open epmap 10.1.10.59 (10.1.10.59)
      139 open netbios-ssn 10.1.10.109 (10.1.10.109)
      445 open microsoft-ds 10.1.10.8 (10.1.10.8)
      464 open kpasswd 10.1.10.106 (10.1.10.106)

0x05 Additional Materials

    * Whitepaper: Dynamic Port Scanning, AR Samhuri and H.K.
      [http://www.securebits.org/papers/dps_wp.pdf]
    * Presentation: Dynamic Port Scanning, AR Samhuri, Ruxcon 2006
      [http://www.securebits.org/presentations/AR_DPS_RUXCON_06.ppt]

0x05 Author
AR Samhuri <ar[at]securebits[dot]org>

0x06 Credits
Thanks to "Saddam" for beta-testing the Version 1.5 of the tool.

--
AR Samhuri
Network Security Researcher
Securebits (http://www.securebits.org)






------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: