Idle (Witness) Scanning

From: Evrim ULU (evrim@envy.com.tr)
Date: Sat Apr 27 2002 - 04:52:54 EDT

• Next message: Alfred Huger: "List slow down"
• Previous message: R. DuFresne: "Re: UDP port scan results"
• Next in thread: Filipe Jorge Marques de Almeida: "Re: Idle (Witness) Scanning"
• Reply: Filipe Jorge Marques de Almeida: "Re: Idle (Witness) Scanning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I hope this time it will pass. ehe:-)

Hi,

i'm trying to scan inside my local nat, but i'm having some problems and
i thought people here might help.

setup is simple:

w2k prof. nat machine. with real ip xx.xx.xx.90 and nat gw ip 192.168.0.1
client behind nat machine has ip 192.168.0.2 (linux)

my box: xx.xx.xx.66 (linux)

first from xx.66 i wrote :

hping2 -W -r xx.xx.xx.90

then, i send spoofed packs:

hping2 -S -p 22 -a 192.168.0.2 xx.xx.xx.90

Port 22 of client box is open. After that, i sniff from the client box
and saw that it generates RST packet normally to xx.xx.90.90 machine.
Also, id goes from +256 to +512. (nat machine is kept idle of course
during the test) From these, i understood that port 22 is open since RST
packet is
generated vs vs.

Then, i send second packet to port 1(tcpmux) which is close. But the
same thing happens. id goes from +256 to +512 and nothing more happens.

NAT machine behaves same in both cases, at first, taking the RST packet
from client, at second taking UDP Port uncreachble. Btw, i've checked
generated messages from the sniffer at the client machine.

So, is there a way to identify open and close(filtered) ports inside
nat? or w2k assigns different id numbers for different ether interfaces?
(i've read solaris assigns different id's for different processes.i
think w2k may do this for not every process but for each ethernet)

PS: Before trying to go inside the NAT , i've successfully achieved
idlescanning client behind the firewall with both client and firewall
having real ip's. I've faced with no problem. ID field goes to +512 from
+256 in case the port open. Stays as +256 if it gets ICMP port
uncreahble message.

Besides, i think that since during nat exploitation, we'r sending two
packs, and expecting for third. Shouldn't be the id field bigger than +512?

Thnx.

-- 
Evrim ULU
evrim@envy.com.tr / evrim@core.gen.tr
sysadm
http://www.core.gen.tr
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Alfred Huger: "List slow down"
• Previous message: R. DuFresne: "Re: UDP port scan results"
• Next in thread: Filipe Jorge Marques de Almeida: "Re: Idle (Witness) Scanning"
• Reply: Filipe Jorge Marques de Almeida: "Re: Idle (Witness) Scanning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT