| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri May 5 21:11:21 2006 From: tim-security at sentinelchicken.org (Tim) Subject: Idle scan rediscovered!!! > 2. There seem to be something with ACK packets to exploit for > idle-scanning: > > hping3 -A -r host -p 80 > > Gives back exploitable incremental IPID on a Linux 2.6.15 box. Are you sure? Just because the sequences are predictable or even incremental for your source host doesn't mean it is exploitable. This is old information, but I would assume it is still the case (until someone presents hard evidence otherwise): "One good approach is to use connection or peer-specific IPID sequences. Solaris does this, and it severely limits the information attackers can glean about other connections. Linux 2.4 also uses peer-specific IPID values (see net/ipv4/inetpeer.c). In addition, Linux 2.4 zeros the IPID fields in packets with the DF (Don't Fragment) bit set. After all, IP defragmentation is the only critical use of the ID field. Another approach (used by OpenBSD) is to randomize the IPID sequence. This is difficult to get right -- be sure the sequence does not repeat and that individual numbers will not be used twice in a short period." This quote is taken from: http://www.insecure.org/nmap/idlescan.html So, if a host maintains a predictable sequence, but it maintains independent sequences for each destination it sends packets to, then it isn't exploitable. I haven't tested it in recent Linux kernels myself, but I also haven't seen anyone present solid evidence to the contrary of this older information. thanks, tim
Powered by blists - more mailing lists