mailing list archives
IP ID could allow to scan a masquerade network.
From: "Elie aka \"Lupin\" Bursztein" <elie () bursztein net>
Date: Mon, 05 Nov 2001 17:20:43 -0800
I was working on a new implementation of the IPID scann (also known has
idle scan in the nmap man page or pixie-scan as i call it)
During my test I think I discover a new way to use this type of scan :
Using the gateway of a masquerade network as a witness (relay host) for the
allow remote scanning of the private network.
On some stack implementation the IP ID field is incremental so by sending a
packet to the gatway from a private network box and by comparing after the
IP ID value
you could remotely know witch service are open on this intranet computer
even if this one is masquerade.
Of course the pixie-scan is a well known technique but this is this
utilisation that is new.
For more detail about the pixie-scan i have written a paper witch will be
available around tomorow
evening at the following url : http://www.bursztein.net/secu/pixie.html
I have tested the pixie-scan against with success :
- Win 2K service pack
- 3com Netbuilder
unsuccessfull attempt :
- Linux 2.4.x
Elie aka "Lupin" Bursztein
icq : 32228319
mail : secu () bursztein net
web : www.bursztein.net/secu
"He feel safe and at this very moment, i was lost... "
- IP ID could allow to scan a masquerade network. Elie aka \"Lupin\" Bursztein (Nov 09)