Re: Rookie question about differences between -S and -sI option

From: Tim (tim-pentest@sentinelchicken.org)
Date: Tue Feb 14 2006 - 14:25:55 EST


> then I tried to spoof my ip scanning the same target like that :
> nmap -vv -P0 -T4 -S xxx.xxx.xxx.xxx ( spoofed ) -e eth0 xxx.xxx.xxx.50 (
> same target as simple scan ) but I obtained every port closed even if nmap
> scanned clearly the same target as the original trivial scan against
> xxx.xxx.xxx.50.

Ok, that's a little different.

First, what kind of host are you using as an idle system? If that
system is a Linux or other recent Unix system, it's likely that they've
eliminated the IP ID information leak. I know Linux and OpenBSD have
eliminated it, and other BSDs probably have as well. Only less secure
systems, such as Windows or network devices/printers leak information
about their packet rates.

If you aren't sure what the OS is on the idle system, you could ping it
from two seperate source IPs. If the IP IDs between the two ping
sequences aren't correlated at all, then you're probably not dealing
with a vulnerable IP implementation.

tim

PS- I think you forgot to CC the list on your last message. Since this
    may be useful to some, I'll go ahead and post it back.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:31 EDT