From: H D Moore (hdm@digitaloffense.net)
Date: Tue Mar 04 2003 - 01:02:34 EST
Have to disagree with the "obsolete" statement. I ran an egress test from
my cable connection and found no less than 40 different class C networks
I could spoof packets from. While many of these networks were in the same
class B subnet, they could still be used to effective obsfucate the real
source of a port scan. Actually, using a related address makes tracing it
back even harder, since even TTL tricks and router logs won't help you.
It does narrow down your source to specific provider/geographic area, but
still doesn't provide you with a single address to report. An intelligent
attacker would spoof a few dozen scans first from firewalled systems
located at his own provider (ie. broadband routers that filter
everything) and only perform the "real" scan with a decoy scan, using the
scapegoat system as one of the sources. Then again, anyone who wants to
expend this level of effort could just use the IP ID trick and you would
never see a single packet from thier real address.
-HD
On Monday 03 March 2003 11:26 pm, Kevin Hodle wrote:
> With most broadband providers, this is an obsolete method of port
> scanning. Broadband companies like comca$t have very strict egress
> filters, and also 'ip verify reverse-path' on a cisco PIX (stateful)
> will eliminate the possibility of decoy scans being run against
> machines behind the PIX. Edge routers can also be configured in a
> similar fashion to accommodate external/DMZ machines like IDS's (witch
> should be running a stealth interface anyway.)
>
>
> Kevin Hodle
> CCNA, Network+, A+
> Alexander Open Systems
> Network Operations Center
> kevinh@aos5.com
>
>
> -----Original Message-----
> From: Ryan [mailto:ryan@packetwatch.net]
> Sent: Sunday, March 02, 2003 6:25 PM
> To: pen-test@securityfocus.com; nmap-dev@insecure.org
> Cc: 'Fyodor'
> Subject: Finding real host in Nmap -D Scans
>
>
> Hi All,
>
> I was wondering about the decoy scan in nmap. Is there a way to tell
> which host in a decoy scan is the real host? I found a post by Dug
> Song (http://www.geek-girl.com/ids/1999/0057.html), but these methods
> won't work anymore.
>
> First, as Dug Song said nmap now randomizes the ttl fields, and
> secondly you can't narrow it down to a host that can run nmap, because
> nmap can now be run on Windows systems as well.
>
> Ryan Spangler
> http://www.packetwatch.net
>
>
> -----------------------------------------------------------------------
>- ----
> <Pre>Do you know the base address of the Global Offset Table (GOT) on a
> Solaris 8 box? CORE IMPACT does.</Pre> <A
> href="http://www.securityfocus.com/core">
> http://www.securityfocus.com/core>
>
>
> ---------------------------------------------------------------------
> For help using this (nmap-dev) mailing list, send a blank email to
> nmap-dev-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).
----------------------------------------------------------------------------
Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:29 EDT