Nmap Idle Scanning and Linux
Nmap has the capability to perform idle scanning. Say you want to do a SYN scan of machine B, but you do not want machine B to know your ip address. You can use an intermediate machine that has predictable IPID numbers to act as a zombie and help you establish whether or not each TCP port is open on machine B.
There is a good explanation of how this works at http://www.insecure.org/nmap/idlescan.html.
The idea is that every time a machine sends a packet, it increases it's IPID value by one. If you send a SYN to a port that is open, the machine will send a SYN/ACK back. If a machine recieves an unsolicited SYN/ACK then it will send a RST back (and thus increment the IPID number). If a machine gets an unsolicited RST, however, it ignores it. The following procedure will scan machine B, while making it look like the scan came from host Z.
1. Send a SYN packet to a port on host Z that is open. It will respond with a syn|ack. Make note of the IPID number.
2. Send a SYN packet with a source of host Z to host B on some port. If the port is open, host B will send a syn|ack back to host Z. Since host Z was not expecting a syn/ack, it will send a RST packet back to host B and it will increment its IPID number.
3. Wait a bit
4. Send a Syn packet to a port on host Z that is open. Make note of the IPID number. If it is one more than the IPID number noted in step one, then the port on machine B is closed. If it is two more than it was in step one, then the port is open.
Ofcourse, this assumes that the machine didn't get any more traffic. But, even if it does, you can still use this technique with a slight modification. Say that host Z typically increments its IPID number 10 times per minute. Then, by sending 100 probes, we can see if the IPID has incremented more than 100. If not then the port is closed. If so then the port is open.
So, the hard part is finding hosts in which the TCP stack on the machine increments the IPID number sequencially for each outbound packet. Linux, for example, sends all of it's SYN/ACK packets with a IPID number of zero. This technique is explained in detail at http://www.blackhat.com/presentations/bh-usa-01/ThomasOlofsson/bh-usa-01-Thomas-Oloffson.ppt
However, someone just discovered that even the latest 2.6 kernels will increment their sequence numbers sequentially if you send SYN|ACK packets to them. Hence, virtually all Linux machines using version 2.6 of the Linux kernel can be used for idle scanning. The only issue is that Nmap sends syn's when it is testing whether a machine will work for idle scanning, but syn/ack's for the actual test.
In any case, someone ought to be able to scan for a bunch of zombie hosts, then rotate through them doing idle scans. If you had enough of them, you could potentially bypass intrusion detection by having only a small number of probes from each zombie host.
There is a good explanation of how this works at http://www.insecure.org/nmap/idlescan.html.
The idea is that every time a machine sends a packet, it increases it's IPID value by one. If you send a SYN to a port that is open, the machine will send a SYN/ACK back. If a machine recieves an unsolicited SYN/ACK then it will send a RST back (and thus increment the IPID number). If a machine gets an unsolicited RST, however, it ignores it. The following procedure will scan machine B, while making it look like the scan came from host Z.
1. Send a SYN packet to a port on host Z that is open. It will respond with a syn|ack. Make note of the IPID number.
2. Send a SYN packet with a source of host Z to host B on some port. If the port is open, host B will send a syn|ack back to host Z. Since host Z was not expecting a syn/ack, it will send a RST packet back to host B and it will increment its IPID number.
3. Wait a bit
4. Send a Syn packet to a port on host Z that is open. Make note of the IPID number. If it is one more than the IPID number noted in step one, then the port on machine B is closed. If it is two more than it was in step one, then the port is open.
Ofcourse, this assumes that the machine didn't get any more traffic. But, even if it does, you can still use this technique with a slight modification. Say that host Z typically increments its IPID number 10 times per minute. Then, by sending 100 probes, we can see if the IPID has incremented more than 100. If not then the port is closed. If so then the port is open.
So, the hard part is finding hosts in which the TCP stack on the machine increments the IPID number sequencially for each outbound packet. Linux, for example, sends all of it's SYN/ACK packets with a IPID number of zero. This technique is explained in detail at http://www.blackhat.com/presentations/bh-usa-01/ThomasOlofsson/bh-usa-01-Thomas-Oloffson.ppt
However, someone just discovered that even the latest 2.6 kernels will increment their sequence numbers sequentially if you send SYN|ACK packets to them. Hence, virtually all Linux machines using version 2.6 of the Linux kernel can be used for idle scanning. The only issue is that Nmap sends syn's when it is testing whether a machine will work for idle scanning, but syn/ack's for the actual test.
In any case, someone ought to be able to scan for a bunch of zombie hosts, then rotate through them doing idle scans. If you had enough of them, you could potentially bypass intrusion detection by having only a small number of probes from each zombie host.
| Permalink | E-mail this post 
