Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Spoofed scans

From: Joshua Wright <jwright () jwu edu>
Date: Wed, 9 Jan 2002 07:52:15 -0500 
One should note that the example is not using "sequence numbers", but
instead using the IP ID field.  Sequence numbers would (should) not be as
predictable.  IP ID numbers _should_ not be so predictable, but try telling
Microsoft that.

Also check out the Pixie scanning tool, designed to perform this in an
automated fashion at http://www.bursztein.net/secu/pixie.html.  The source
file is actually a gzip'd file, although it only has a .tar extension.

-Joshua Wright, GCIH
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright () jwu edu 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73



-----Original Message-----
From: Gideon Lenkey [mailto:glenkey () infotech-nj com]
Sent: Tuesday, January 08, 2002 12:23 PM
To: Paul M. Tiedemann
Cc: incidents () securityfocus com
Subject: RE: Spoofed scans


Since it seems to be in question, I'd like to address third party stealth
scanning in more detail as some folks might not be fully aware of it's
capabilities.

The basic technique goes as follows, our bad guy MAL wants to scan his
target ADENA for an open TCP port 22. He doesn't want any record of his
connecting, so he finds a 'quiet' (meaning little or no traffic going to
or from) computer preferably on a dial-up or DSL, we'll call this machine
PATSY. His plan is to get relative sequence numbers from PATSY while
spoofing TCP SYN packets to ADENA's TCP port 22 with PATSY as the source
address. If 22 is open ADENA will reply to PATSY and MAL will notice a
spike in MAL relative sequence numbers. MAL is pretty clever, so he not
only spoofs packets from PATSY but also a random mix of other spoofed
source addresses. MAL gets his information and his IP never talks to
ADENA.

Using hping as an example:

First find (a) PATSY, a nice Windows machine idling on a DSL line is
the perfect mark.

---------------------------------------------------------------------
[root@foo]# hping -r PATSY
HPING PATSY (eth0 PATSY): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=PATSY flags=RA seq=0 ttl=128 id=63510 win=0 rtt=10.2 ms
len=46 ip=PATSY flags=RA seq=1 ttl=128 id=+256 win=0 rtt=0.7 ms
len=46 ip=PATSY flags=RA seq=2 ttl=128 id=+256 win=0 rtt=0.6 ms
len=46 ip=PATSY flags=RA seq=3 ttl=128 id=+256 win=0 rtt=0.6 ms
len=46 ip=PATSY flags=RA seq=4 ttl=128 id=+256 win=0 rtt=0.7 ms
---------------------------------------------------------------------

You'll notice the 'id+=256' field indicates steady increments in sequence
numbers (Viva la Windows).

Now spoof the source address of the scan and watch relative sequence
numbers 'id=+'.

---------------------------------------------------------------------
[root@foo]# hping ADENA -a PATSY -S -p 22
---------------------------------------------------------------------

Nothing comes directly back because the source address is spoofed, but
look at our session pinging PATSY. See the spike in the id field from 256
to 512? Port 22 is open on ADENA. No spike means closed a closed port.

---------------------------------------------------------------------
len=46 ip=PATSY flags=RA seq=51 ttl=128 id=+256 win=0 rtt=0.7 ms
len=46 ip=PATSY flags=RA seq=52 ttl=128 id=+256 win=0 rtt=0.7 ms
-> len=46 ip=PATSY flags=RA seq=53 ttl=128 id=+512 win=0 rtt=0.7 ms <-
-> len=46 ip=PATSY flags=RA seq=54 ttl=128 id=+512 win=0 rtt=0.7 ms <-
-> len=46 ip=PATSY flags=RA seq=55 ttl=128 id=+512 win=0 rtt=0.7 ms <-
-> len=46 ip=PATSY flags=RA seq=56 ttl=128 id=+512 win=0 rtt=0.7 ms <-
len=46 ip=PATSY flags=RA seq=57 ttl=128 id=+256 win=0 rtt=0.7 ms
---------------------------------------------------------------------

When you add the possibility that the machines are half a world apart,
tracking becomes, well difficult even if you're an optimist.

The bottom line is, the attacker might not be in the group of IPs you
observe scanning you.

For a more detailed treatment of this technique see:

        http://rr.sans.org/audit/hping2.php

--Gideon

On Mon, 7 Jan 2002, Paul M. Tiedemann wrote:

/* A couple of words on spoofing should be mentioned.  Spoofing is almost
/* always associated with dos attacks because the very act of spoofing means
/* that they will not be receiving any packets back to their real ip
address.
/* I know there are ways to use spoofing to obscure the scanning machine but
/* usually one of the ip addresses is the offender.  If you think the
process
/* through with port scanning it just doesn't make sense that the
originating
/* machine would not wish to receive any information about what ports are
open
/* on your machine.  That being said I think that if you are actually being
/* port scanned you will find that one of the ip addresses you will see is
the
/* originating machine.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: