Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [Paper] New Idle Scan Techniques
From: Henri Doreau <henri.doreau () greenbone net>
Date: Mon, 25 Apr 2011 17:57:06 +0200

2011/4/21 Fyodor <fyodor () insecure org>:
David just sent me a link to a research paper which discloses a couple
novel port scanning techinques which are related to the Nmap idle scan
(-sI) in that they are side channel attacks which don't require
sending packets to the target from your real IP address.  One of the
techniques is based on TCP RST rate limiting and the other uses SYN
cache behavior.  Here is the paper:



This paper is really cool!

I gave a try at implementing the first technique (TCP RST rate
limiting) within NSE.

I have patched NSE to do so, adding a "scanrule" and a -sK option to
enable script port scanning. This patch eases the development of
prototypes to evaluate such new scanning techniques and could also be
interesting to develop port scanning modules relying upon application
layers. Such modules could leverage the NSE libraries for the
corresponding protocols (scanner-ftp-bounce.nse would be nice, instead
of having it in the core for instance).

Both the script and the patch are just PoC but I would be glad to
improve them if someone like the idea. Feedback welcome!


Henri Doreau |  Greenbone Networks GmbH  |  http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner

Attachment: nse_scan.diff

Attachment: idlescan-rst.nse

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]