lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Dec  6 01:56:19 2005
From: rembrandt at jpberlin.de (Rembrandt)
Subject: Spoof tricks & Tips ?

On Mon, 5 Dec 2005 17:44:03 -0800
Mark Sec <mark.sec@...il.com> wrote:

> Alo folks,
> 
> 
> Well, im testing a servers and i need to scan all the ports evading IDS ,
> IPS, i dont want to see my IP real
> 
> e.g spoof scan with Nmap
> 
> 
> nmap -v -n -sT -P0 -e eth0 -p
> 21,22,23,25,111,135,139,445,443,1433,1434,1521,2301, -S 1.1.1.1
> 150.210.30.117
> 
> 
> Or my little script:
> 
> =========cut here================================
> #spoof addres that u want
> spoofed=0.0.0
> # target to scan
> target=150.210.30.117
> #  target is the host to be scanned
> port=1
> #  port will be incremented 1-1024
> saddr=2
> # saddr is the starting host of the spoofed address
> 
> while [ $port -lt 1024 ]
> do
> 
> #nc -vv -u  -w10 -n -z -s 0.0.0.${saddr}  $target $port
> 
> # or
> 
> sleep 2
> 
> nmap -v -n -sT -P0 -e eth0 -p $port -S ${spoofed}.${saddr}  $target
> 
> port=`expr $port + 1`
> saddr=`expr $saddr + 1`
> if [ $saddr -gt 254 ]
>         then
>         saddr=2
>         fi
> done
> exit
> =============cute here==========================
> 
> Does anyone have more tricks, tips, shell scripts to scan and hiding-evading
> IDS, IPS the real IP ?
> 
> - Mark :-)

nmap supports Zombie-Scan and also FTP-Bounce-Scanning.
And the -D Option should be helpfull too...

You should just care that the port dosn't transfere a lot traffic
(Zombi-Scan).

Another neat trick is passiv Port-Identification by simply just
sniffing the traffic. But you've to wait until somebody made a
connection.

If you choose the -T1 option for the timing: Generating a new valid
Mac-Adress every 5 Minutes is maybe also helpfull.
But this could be detected (but I never saw such a paranoid setting).

You maybe also wont scan with nmap because nmap-Scans are easy to
detect. And reducing the ports to e.g. just 3 or 5 (for one
scan-session, you can do serval and everytime a break between them)
would also help because then you can do a Full-Connect Scan to avoid
the Detection of SYN-Scans.

Just some ideas :-)

Kind regards,
Rembrandt
-- 
God did a bless on me,
So accapt the dark side in you.
Hate leads me to victory, so give me a war.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051206/2d6c99f7/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ