[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20081115070242.63yo3ux40gs8wgks@securebits.org>
Date: Sat, 15 Nov 2008 07:02:42 -0500
From: AR Samhuri <ar@...urebits.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Dynamic Port Scanner [DPS] a reliable spoofed
source IP P.S.
Subject: Dynamic Port Scanner [DPS] v1.5 tool release
Homepage: http://www.securebits.org/dps.html
Download: http://www.securebits.org/projects/dps-v1.5.tar.gz
=================================================================================
Dynamic Port Scanner - A Reliable Spoofed Source IP Port Scanner
-----------------------------------------------------------------
0x01 Introduction
The sole idea of the Dynamic Port Scanner (DPS) is to provide a reliable
spoofed source IP port scanner. The spoofed source IP is dynamically generated
at run time and it varies for every scan packet; every scan packet carries a
random spoofed source IP. Traditionally, a port scan with a spoofed source IP
has been considered unreliable due to the fact that reply packets would not
reach back the scanning system. However, the technique used by DPS ensures the
reliability of such spoofed scan. This technique is based on the
integration of
ARP Poisoning into port scanning to achieve the desired result. The spoofed IP
addresses used by DPS during a scanning process fall within the range of the
local subnet. Thus, DPS is best suited for internal scanning.
0x02 Features
* DPS V 1.5 is a multi-threaded application. It creates upto THREADS_MAX
threads at once. Each thread scans a port and does the corresponding ARP
Poisoning.
* DPS differentiates between a scanned host withing the local net and a
host outside the local net. If the scanned host is within the local net,
it is the target of ARP poisoning. If not, the gateway/router
will be the
target of ARP poisoning.
* The spoofed source IP will never match the IP of the scanned machine if
it is within the local net. The reason is that one cannot ARP-poison a
host with fake info about the machine itself.
* DPS features 10 different TCP stealth scanning techniques. These are:
SYN, FIN, NULL, ACK, URG, PSH, XMAS, XMAS1, XMAS2, XMAS3.
* DPS is built on top of Libpcap and Libnet
0x03 Code
* dps-v1.5.tar.gz (Multi-threaded and optimized)
[http://www.securebits.org/projects/dps-v1.5.tar.gz]
* dps-v1.1.tar.gz (performs sequential scan)
[http://www.securebits.org/projects/dps-v1.1.tar.gz]
0x04 Examples
* Example 1: The default option will scan the ports 1-1024 using SYN scan
type.
suse2:/home/ar/dps-v1.5 # dps 10.1.10.239
============================================================
Dynamic Port Scanner [DPS] version 1.5
A Reliable Spoofed Source IP Port Scanner
Copyright (c) 2006 - 2008 AR Samhuri
============================================================
=========================== SCAN RESULT ===========================
Scanned Host: 10.1.10.239 (10.1.10.239)
Scan Type: TCP SYN Scan [____S_]
Total Scan Time: 109 seconds
Number of scanned ports: 1024
{ [open 3] [filtered 1021] }
---- ------ ------- ---------------
port status service used spoofed IP
---- ------ ------- ---------------
135 open epmap 10.1.10.124 (10.1.10.124)
139 open netbios-ssn 10.1.10.51 (10.1.10.51)
445 open microsoft-ds 10.1.10.75 (10.1.10.75)
The rest of the ports are filtered
* Example 2: Scanning a host using ACK scan type and verbosity = 1
suse2:/home/ar/dps-v1.5 # dps -v -t A -p
53,80,88,21,22,135,139,445,464 10.1.0.74
============================================================
Dynamic Port Scanner [DPS] version 1.5
A Reliable Spoofed Source IP Port Scanner
Copyright (c) 2006 - 2008 AR Samhuri
============================================================
Initializing DPS...
Starting Scanning...
Port 80 [UNFILTERED]
Port 88 [UNFILTERED]
Port 135 [UNFILTERED]
Port 21 [UNFILTERED]
Port 22 [UNFILTERED]
Port 139 [UNFILTERED]
Port 445 [UNFILTERED]
Port 464 [UNFILTERED]
Port 53 [UNFILTERED]
Ending Scanning...
=========================== SCAN RESULT ===========================
Scanned Host: 10.1.0.74 (10.1.0.74)
Scan Type: TCP ACK Scan [_A____]
Total Scan Time: 2 seconds
Number of scanned ports: 9
{ [unfiltered 9] }
All the ports are unfiltered
* Example 3: Scanning a host using SYN scan type and verbosity = 2
suse2:/home/ar/dps-v1.5 # dps -vv -p
80,88,21,22,135,139,445,464 10.1.0.76
============================================================
Dynamic Port Scanner [DPS] version 1.5
A Reliable Spoofed Source IP Port Scanner
Copyright (c) 2006 - 2008 AR Samhuri
============================================================
Initializing DPS...
Starting Scanning...
PORT [80] SPOOFED IP [10.1.10.87] STATUS [closed]
PORT [88] SPOOFED IP [10.1.0.76] STATUS [open]
PORT [21] SPOOFED IP [10.1.10.98] STATUS [closed]
PORT [22] SPOOFED IP [10.1.10.34] STATUS [closed]
PORT [139] SPOOFED IP [10.1.10.109] STATUS [open]
PORT [135] SPOOFED IP [10.1.0.76] STATUS [open]
PORT [445] SPOOFED IP [10.1.0.76] STATUS [open]
PORT [464] SPOOFED IP [10.1.10.106] STATUS [open]
Ending Scanning...
=========================== SCAN RESULT ===========================
Scanned Host: 10.1.0.76 (10.1.0.76)
Scan Type: TCP SYN Scan [____S_]
Total Scan Time: 2 seconds
Number of scanned ports: 8
{ [open 5] [closed 3] }
---- ------ ------- ---------------
port status service used spoofed IP
---- ------ ------- ---------------
80 closed http 10.1.10.87 (10.1.10.87)
88 open kerberos 10.1.10.81 (10.1.10.81)
21 closed ftp 10.1.10.98 (10.1.10.98)
22 closed ssh 10.1.10.34 (10.1.10.34 )
135 open epmap 10.1.10.59 (10.1.10.59)
139 open netbios-ssn 10.1.10.109 (10.1.10.109)
445 open microsoft-ds 10.1.10.8 (10.1.10.8)
464 open kpasswd 10.1.10.106 (10.1.10.106)
0x05 Additional Materials
* Whitepaper: Dynamic Port Scanning, AR Samhuri and H.K.
[http://www.securebits.org/papers/dps_wp.pdf]
* Presentation: Dynamic Port Scanning, AR Samhuri, Ruxcon 2006
[http://www.securebits.org/presentations/AR_DPS_RUXCON_06.ppt]
0x05 Author
AR Samhuri <ar[at]securebits[dot]org>
0x06 Credits
Thanks to "Saddam" for beta-testing the Version 1.5 of the tool.
--
AR Samhuri
Network Security Researcher
Securebits (http://www.securebits.org)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists