Re: [Full-disclosure] Idle scan rediscovered!!!
> I'm aware of this fact. As I figure all my tests were done from the same > box, I'll still have to check it out. Let me test it more intensively > after this week-end and I'll let you know. Ah, sorry, didn't mean to state the obvious. On a side-note, I don't know if anyone has ever observed (and published) that setting up a tarpit for all TCP ports can effectively defeat some forms of idle scans at the victim side. (I'm thinking in terms of a tarpit like iptables' version of it, where all blocked ports are instead tarpitted with SYN/ACKs and no further responses.) I don't see a way in which an attacker can actually determine which ports are serviceable through an idle host. Anyone else worked through the scenarios and care to point out the problems with this defense strategy? I haven't really thought through all the cases... tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Idle scan rediscovered!!!
> Your assumption that the idlescan is dead where wrong.. no investigation > needed I never said idle scans were dead. I merely dispute the half-baked claims that current Linux systems can be used as an idle host, or that they are somehow "rediscovered". tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Idle scan rediscovered!!!
> Le vendredi 05 mai 2006 à 16:11 -0400, Tim a écrit : >> > Gives back exploitable incremental IPID on a Linux 2.6.15 box. >> Are you sure? Just because the sequences are predictable or even >> incremental for your source host doesn't mean it is exploitable. This >> is old information, but I would assume it is still the case (until >> someone presents hard evidence otherwise): > > I'm aware of this fact. As I figure all my tests were done from the same > box, I'll still have to check it out. Let me test it more intensively > after this week-end and I'll let you know. AND FTP-Bounce is dead too.. right? Wrong... Your assumption that the idlescan is dead where wrong.. no investigation needed You wanna (or wont..) check different distributions (Loonix) BSDs and other OSs and you`ll find a lot neat working OSs (in fact Stacks). "So I decided to go puplic" -> wow Some peoples even thought smurf was dead but MS 2003 Svr proofed us all wrong. (It was smurf..or? does not matter anyway..) ;) Rembrandt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Idle scan rediscovered!!!
Le vendredi 05 mai 2006 à 16:11 -0400, Tim a écrit : > > Gives back exploitable incremental IPID on a Linux 2.6.15 box. > Are you sure? Just because the sequences are predictable or even > incremental for your source host doesn't mean it is exploitable. This > is old information, but I would assume it is still the case (until > someone presents hard evidence otherwise): I'm aware of this fact. As I figure all my tests were done from the same box, I'll still have to check it out. Let me test it more intensively after this week-end and I'll let you know. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Idle scan rediscovered!!!
> 2. There seem to be something with ACK packets to exploit for >idle-scanning: > > hping3 -A -r host -p 80 > > Gives back exploitable incremental IPID on a Linux 2.6.15 box. Are you sure? Just because the sequences are predictable or even incremental for your source host doesn't mean it is exploitable. This is old information, but I would assume it is still the case (until someone presents hard evidence otherwise): "One good approach is to use connection or peer-specific IPID sequences. Solaris does this, and it severely limits the information attackers can glean about other connections. Linux 2.4 also uses peer-specific IPID values (see net/ipv4/inetpeer.c). In addition, Linux 2.4 zeros the IPID fields in packets with the DF (Don't Fragment) bit set. After all, IP defragmentation is the only critical use of the ID field. Another approach (used by OpenBSD) is to randomize the IPID sequence. This is difficult to get right -- be sure the sequence does not repeat and that individual numbers will not be used twice in a short period." This quote is taken from: http://www.insecure.org/nmap/idlescan.html So, if a host maintains a predictable sequence, but it maintains independent sequences for each destination it sends packets to, then it isn't exploitable. I haven't tested it in recent Linux kernels myself, but I also haven't seen anyone present solid evidence to the contrary of this older information. thanks, tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Idle scan rediscovered!!!
Le vendredi 05 mai 2006 à 18:49 +0200, Cedric Blancher a écrit : > As standard 2.4/2.6 kernels behaviour is to set DF flag to 1, and IPID > to 0, it's a very bad candidate for an idle host. Mitigating this... 1. there's Marco Ivaldi finding posted on Bugtraq 2. There seem to be something with ACK packets to exploit for idle-scanning: hping3 -A -r host -p 80 Gives back exploitable incremental IPID on a Linux 2.6.15 box. Note that default ip_conntrack_tcp_loose of 3 prevents theses packets to get flaged as INVALID by conntrack. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Idle scan rediscovered!!!
Le vendredi 05 mai 2006 à 12:33 -0400, Tim a écrit : > Sorry, I'm having difficulty following some of the details of your > results. Are you using the Windows machines as the idle hosts only, or > is the Ubuntu box also being used as an idle host in some > configurations? As standard 2.4/2.6 kernels behaviour is to set DF flag to 1, and IPID to 0, it's a very bad candidate for an idle host. And sadly, it's no news that Windows boxes are prone to idle scanning because they have an incremental IPID generator... -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Idle scan rediscovered!!!
> please see my page for the technical details and screenshots of my > replication of the IDLE scan attack: > http://joeljose.pbwiki.com/idlescan Sorry, I'm having difficulty following some of the details of your results. Are you using the Windows machines as the idle hosts only, or is the Ubuntu box also being used as an idle host in some configurations? thanks, tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/