Home page logo

bugtraq logo Bugtraq mailing list archives

IP ID could allow to scan a masquerade network.
From: "Elie aka \"Lupin\" Bursztein" <elie () bursztein net>
Date: Mon, 05 Nov 2001 17:20:43 -0800


I was working on a new implementation of the IPID scann (also known has
idle scan in the nmap man page or  pixie-scan as i call it)
During my test I think I discover a new way to use this type of scan :


Using the gateway of a masquerade network as a witness (relay host) for the Pixie-scan,
allow remote scanning of the private network.


On some stack implementation the IP ID field is incremental so by sending a spoofed SYN packet to the gatway from a private network box and by comparing after the IP ID value you could remotely know witch service are open on this intranet computer even if this one is masquerade. Of course the pixie-scan is a well known technique but this is this utilisation that is new. For more detail about the pixie-scan i have written a paper witch will be available around tomorow
evening at the following url : http://www.bursztein.net/secu/pixie.html

Affected version

I have tested the pixie-scan against with success :

- Win 2K service pack
- 3com Netbuilder

unsuccessfull attempt :

- Linux 2.4.x


Elie aka "Lupin" Bursztein
icq  : 32228319
mail : secu () bursztein net
web  : www.bursztein.net/secu
"He feel safe and at this very moment, i was lost... "

  By Date           By Thread  

Current thread:
  • IP ID could allow to scan a masquerade network. Elie aka \"Lupin\" Bursztein (Nov 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]