lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 13 Jul 2015 09:03:56 -0400
From:	Austin S Hemmelgarn <ahferroin7@...il.com>
To:	Matteo Croce <matteo@...nwrt.org>
CC:	Valdis Kletnieks <Valdis.Kletnieks@...edu>,
	Nicolas Dichtel <nicolas.dichtel@...nd.com>,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] add stealth mode

On 2015-07-12 19:13, Matteo Croce wrote:
> 2015-07-08 15:32 GMT+02:00 Austin S Hemmelgarn <ahferroin7@...il.com>:
>> On 2015-07-06 15:44, Matteo Croce wrote:
>> Just to name a few that I know of off the top of my head:
>> 1. IP packets with any protocol number not supported by your current kernel
>> (these return a special ICMP message).
>
> Right, I'll handle them
>
>> 2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the
>> kernel.
>
> Well, I've never played with SCTP before
It should still be checked, as should DCCP and RDS (those are the only 
other Layer 3 protocols that I have ever actually seen people try to 
scan hosts with besides TCP/UDP/SCTP).  SCTP itself is not hugely 
prevalent outside of some clustering uses, but it is still seen on the 
internet sometimes (for example, Gentoo has optional patches for OpenSSH 
to use SCTP).
>
>> 3. Theoretically, some IGMP messages.
>> 4. NDP messages.
>> 5. ARP queries looking for the machine's IP addresses.
>
> Yes I know, but it's unlikely to receive this packets from WAN, right?
> My flag is intended to be used mostly on WAN interfaces,
> machines in LAN should be easily discoverable IMHO.
In theory it's unlikely, but if you use any kind of IPv4 multicast on 
the WAN you will get IGMP (and MLD for IPv6 multicast).  You may also 
get some NDP queries also if you are using IPv6 and your WAN is itself 
behind a NAT router (and yes, there are ISP's who do that).
>
>> 6. Certain odd flag combinations on single TCP packets (check the
>> documentation for Nmap for more info regarding these), which I believe
>> (although I may be reading the code wrong) you aren't accounting for.
>
> I've tried many TCP flags combination with hping3, NUL, SYN/ACK, ACK,
> SYN/FIN, etc.
> They doesn't get any response when the flag is set
How about FIN/ACK and FIN/PSH/URG?
>
>> 7. DAD queries.
>
> Never looked at this packets, are a subset of NDP?
Kind of, it's an ICMPv6 extension for detecting if SLACC configured 
address is already in use.  Most distro's have support for it enabled by 
default.
>> 8. ICMP address mask queries (which you also don't appear to account for).
>
> It's deprecated and actually it doesn't get any response already
Just because it's deprecated doesn't mean you shouldn't account for it, 
although it does appear to get dropped by default by the kernel.

You should also test how different combinations of sysctls under 
/proc/sys/net affect this (there are for example already sysctls for 
ignoring certain types of ICMP packets).


Download attachment "smime.p7s" of type "application/pkcs7-signature" (2967 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ