Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Inverse Mapping Layout Through Scapy
From: "Aditya K Sood" <zeroKnock () metaeye Org>
Date: Fri, 2 Mar 2007 09:48:32 -0500 (EST)


Hi ced
            Its very nice to have your response.
I ll get to ur point one by one.

0xa] First of all the inverse mapping , acc to standard is a
technique to check the host is alive or running services.This
is accomplished by sending a Reset flag to the destination.The
reset flag relates to almost connection closed  stats.This means
if the host is alive or having services , the host repond with
nothing or error message.The nothing tells us the host is alive
and some services are running.Error message says the host is down.
This is overall layout.

0xb] When we get to scapy the port i used is open at the target.
So i checked gainst it with reset packet , the scpay works it in
different way.If you look i used sr command instead of send which
means ia m going after send and recieve st same time.

   Look at this:
          send(<command stat>
          ans,unans=srloop(<coomand stats>)
          ans.summary() --> get to you to the answer of the packet sent.
          unans.summary() --> get to you to the unanswe response.

Since the sending of packet is going from the sender and its failing
because no "RA" or Another response is generated.The packet is totally
failed or getting rejected.This gives us an intimation regarding the
host alive and running services.The packet should fail in most of cases.

0xc] The question of padding is i used it in just a raw data to be
attached and to check it has some implications or not or whether
it is changing the output stats.

Example:- For syn scan if u set "S" packet with same stats you will
het "SA".If you try "F" , the closed port will reset it and open
port will not respond.






Le mardi 27 février 2007 à 04:23 +0530, Aditya Sood a écrit :
                   Want to know your views about Inverse mapping with
padding through scapy.I have recently put a blog entry
http://zeroknock.blogspot.com/2007/02/inverse-mapping-via-packet-crafting.html
Throw more views in this aspect.

Can you please be more specific about what you mean by "inverse
mapping" ? I'm not familiar with this, and thus I don't get what you're
trying to show by adding/removing *raw data* to your TCP RST...

Especialy, what do you mean by "there's a skip in packet from the other
side" ? Is it related to the one out of two "blank lines", that is in
fact written using black color (shown with <- below) and thus being
invisible on your black background ?

srloop(IP(dst="www.google.com", ttl=64)/TCP(dport=80,
flags="R")/"XXXXXXXX")
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw
fail 1: IP / TCP 172.16.134.22:ftp-data > 216.239.59.147:www R / Raw <-
send...
Sent 9 packets, received 0 packets. 0.0% hits.
(<Results: UDP:0 TCP:0 ICMP:0 Other:0>, <PacketList: UDP:0 TCP:9 ICMP:0
Other:0>)

If so, you should switch to Bob Marley display:

      >>> conf.color_theme=RastaTheme()

Then try again :)

Note that IP()/TCP()/"XXXXXXXXX" adds "XXXXXXXXX" as raw TCP data. If
you want to add padding, then you have to use the Padding method:

      IP()/TCP()/Padding("XXXXXXXXX")

Then you'll get something slightly different:

srloop(IP(dst="www.google.com", ttl=64)/TCP(dport=80,
flags="R")/Padding("XXXXXXXXXX"))
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
fail 1: IP / TCP 172.16.134.22:ftp-data > 66.102.9.147:www R / Padding
send...
Sent 8 packets, received 0 packets. 0.0% hits.
(<Results: UDP:0 TCP:0 ICMP:0 Other:0>, <PacketList: UDP:0 TCP:8 ICMP:0
Other:0>)


BTW, Scapy is indeed a wonderful tool.


Regards.


--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Cansecwest/core07 *WiFi (in)Security* Security Masters Dojo, Vancouver
http://cansecwest.com/dojowifi.html (Scapy WiFi programming included ;)

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------




-- 
Aditya K sood
MetaEye Security Group.
[MSG]http://www.metaeye.org
[Zknk]http://zeroKnock.metaeye.Org
[Blog]http://zeroknock.blogspot.com

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]