lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20081115070242.63yo3ux40gs8wgks@securebits.org>
Date: Sat, 15 Nov 2008 07:02:42 -0500
From: AR Samhuri <ar@...urebits.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Dynamic Port Scanner [DPS] a reliable spoofed
	source IP P.S.

Subject:    Dynamic Port Scanner [DPS] v1.5 tool release
Homepage:   http://www.securebits.org/dps.html
Download:   http://www.securebits.org/projects/dps-v1.5.tar.gz
=================================================================================

Dynamic Port Scanner -  A Reliable Spoofed Source IP Port Scanner
-----------------------------------------------------------------

0x01 Introduction

The sole idea of the Dynamic Port Scanner (DPS) is to provide a reliable
spoofed source IP port scanner. The spoofed source IP is dynamically generated
at run time and it varies for every scan packet; every scan packet carries a
random spoofed source IP. Traditionally, a port scan with a spoofed source IP
has been considered unreliable due to the fact that reply packets would not
reach back the scanning system. However, the technique used by DPS ensures the
reliability of such spoofed scan. This technique is based on the  
integration of
ARP Poisoning into port scanning to achieve the desired result. The spoofed IP
addresses used by DPS during a scanning process fall within the range of the
local subnet. Thus, DPS is best suited for internal scanning.

0x02 Features

     * DPS V 1.5 is a multi-threaded application. It creates upto THREADS_MAX
       threads at once. Each thread scans a port and does the corresponding ARP
       Poisoning.
     * DPS differentiates between a scanned host withing the local net and a
       host outside the local net. If the scanned host is within the local net,
       it is the target of ARP poisoning. If not, the gateway/router  
will be the
       target of ARP poisoning.
     * The spoofed source IP will never match the IP of the scanned machine if
       it is within the local net. The reason is that one cannot ARP-poison a
       host with fake info about the machine itself.
     * DPS features 10 different TCP stealth scanning techniques. These are:
       SYN, FIN, NULL, ACK, URG, PSH, XMAS, XMAS1, XMAS2, XMAS3.
     * DPS is built on top of Libpcap and Libnet

0x03 Code

     * dps-v1.5.tar.gz (Multi-threaded and optimized)
       [http://www.securebits.org/projects/dps-v1.5.tar.gz]
     * dps-v1.1.tar.gz (performs sequential scan)
       [http://www.securebits.org/projects/dps-v1.1.tar.gz]

0x04 Examples

     * Example 1: The default option will scan the ports 1-1024 using SYN scan
                  type.

       suse2:/home/ar/dps-v1.5 # dps 10.1.10.239
       ============================================================
       Dynamic Port Scanner [DPS] version 1.5
       A Reliable Spoofed Source IP Port Scanner
       Copyright (c) 2006 - 2008 AR Samhuri
       ============================================================
       =========================== SCAN RESULT ===========================
       Scanned Host: 10.1.10.239 (10.1.10.239)
       Scan Type: TCP SYN Scan [____S_]
       Total Scan Time: 109 seconds
       Number of scanned ports: 1024
       { [open 3] [filtered 1021] }
       ---- ------ ------- ---------------
       port status service used spoofed IP
       ---- ------ ------- ---------------
       135 open epmap 10.1.10.124 (10.1.10.124)
       139 open netbios-ssn 10.1.10.51 (10.1.10.51)
       445 open microsoft-ds 10.1.10.75 (10.1.10.75)
       The rest of the ports are filtered

    * Example 2: Scanning a host using ACK scan type and verbosity = 1

       suse2:/home/ar/dps-v1.5 # dps -v -t A -p  
53,80,88,21,22,135,139,445,464 10.1.0.74
       ============================================================
       Dynamic Port Scanner [DPS] version 1.5
       A Reliable Spoofed Source IP Port Scanner
       Copyright (c) 2006 - 2008 AR Samhuri
       ============================================================
       Initializing DPS...
       Starting Scanning...
       Port 80 [UNFILTERED]
       Port 88 [UNFILTERED]
       Port 135 [UNFILTERED]
       Port 21 [UNFILTERED]
       Port 22 [UNFILTERED]
       Port 139 [UNFILTERED]
       Port 445 [UNFILTERED]
       Port 464 [UNFILTERED]
       Port 53 [UNFILTERED]
       Ending Scanning...
       =========================== SCAN RESULT ===========================
       Scanned Host: 10.1.0.74 (10.1.0.74)
       Scan Type: TCP ACK Scan [_A____]
       Total Scan Time: 2 seconds
       Number of scanned ports: 9
       { [unfiltered 9] }
       All the ports are unfiltered

    * Example 3: Scanning a host using SYN scan type and verbosity = 2

       suse2:/home/ar/dps-v1.5 # dps -vv -p  
80,88,21,22,135,139,445,464 10.1.0.76
       ============================================================
       Dynamic Port Scanner [DPS] version 1.5
       A Reliable Spoofed Source IP Port Scanner
       Copyright (c) 2006 - 2008 AR Samhuri
       ============================================================
       Initializing DPS...
       Starting Scanning...
       PORT [80] SPOOFED IP [10.1.10.87] STATUS [closed]
       PORT [88] SPOOFED IP [10.1.0.76] STATUS [open]
       PORT [21] SPOOFED IP [10.1.10.98] STATUS [closed]
       PORT [22] SPOOFED IP [10.1.10.34] STATUS [closed]
       PORT [139] SPOOFED IP [10.1.10.109] STATUS [open]
       PORT [135] SPOOFED IP [10.1.0.76] STATUS [open]
       PORT [445] SPOOFED IP [10.1.0.76] STATUS [open]
       PORT [464] SPOOFED IP [10.1.10.106] STATUS [open]
       Ending Scanning...
       =========================== SCAN RESULT ===========================
       Scanned Host: 10.1.0.76 (10.1.0.76)
       Scan Type: TCP SYN Scan [____S_]
       Total Scan Time: 2 seconds
       Number of scanned ports: 8
       { [open 5] [closed 3] }
       ---- ------ ------- ---------------
       port status service used spoofed IP
       ---- ------ ------- ---------------
       80 closed http 10.1.10.87 (10.1.10.87)
       88 open kerberos 10.1.10.81 (10.1.10.81)
       21 closed ftp 10.1.10.98 (10.1.10.98)
       22 closed ssh 10.1.10.34 (10.1.10.34 )
       135 open epmap 10.1.10.59 (10.1.10.59)
       139 open netbios-ssn 10.1.10.109 (10.1.10.109)
       445 open microsoft-ds 10.1.10.8 (10.1.10.8)
       464 open kpasswd 10.1.10.106 (10.1.10.106)

0x05 Additional Materials

     * Whitepaper: Dynamic Port Scanning, AR Samhuri and H.K.
       [http://www.securebits.org/papers/dps_wp.pdf]
     * Presentation: Dynamic Port Scanning, AR Samhuri, Ruxcon 2006
       [http://www.securebits.org/presentations/AR_DPS_RUXCON_06.ppt]

0x05 Author
AR Samhuri <ar[at]securebits[dot]org>

0x06 Credits
Thanks to "Saddam" for beta-testing the Version 1.5 of the tool.
-- 
AR Samhuri
Network Security Researcher
Securebits (http://www.securebits.org)





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ