lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue Dec  6 01:58:25 2005
From: tim-security at sentinelchicken.org (Tim)
Subject: Spoof tricks & Tips ?

Hello Mark Sec,


> Well, im testing a servers and i need to scan all the ports evading IDS ,
> IPS, i dont want to see my IP real


Try reading your documentation more thoroughly.


~> man nmap
...
       -sI <zombie host[:probeport]>
              Idlescan: This advanced scan method allows
              for  a  truly  blind  TCP port scan of the
              target (meaning no packets are sent to the
              target   from   your   real  IP  address).
              Instead,  a  unique  side-channel   attack
              exploits predictable "IP fragmentation ID"
              sequence generation on the zombie host  to
              glean  information about the open ports on
              the target.  IDS systems will display  the
              scan as coming from the zombie machine you
              specify (which must be up and meet certain
              criteria).   I  wrote  an  informal  paper
              about this technique  at  http://www.inse-
              cure.org/nmap/idlescan.html .

              Besides   being  extraordinarily  stealthy
              (due to its blind nature), this scan  type
              permits  mapping  out IP-based trust rela-
              tionships  between  machines.   The   port
              listing shows open ports from the perspec-
              tive of the zombie host.  So you  can  try
              scanning  a  target  using various zombies
              that  you  think  might  be  trusted  (via
              router/packet  filter  rules).   Obviously
              this is crucial information  when  priori-
              tizing  attack  targets.   Otherwise,  you
              penetration testers might have  to  expend
              considerable  resources "owning" an inter-
              mediate system, only to find out that  its
              IP   isn't  even  trusted  by  the  target
              host/network you are ultimately after.

              You can add a colon  followed  by  a  port
              number  if  you wish to probe a particular
              port on the zombie host for IPID  changes.
              Otherwise  Nmap  will use the port it uses
              by default for "tcp pings".
...



tim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ