Re: [Full-disclosure] Spoof tricks & Tips ?

Hello Mark Sec,

> Well, im testing a servers and i need to scan all the ports evading IDS ,
> IPS, i dont want to see my IP real

Try reading your documentation more thoroughly.

~> man nmap
-sI <zombie host[:probeport]>
Idlescan: This advanced scan method allows
for a truly blind TCP port scan of the
target (meaning no packets are sent to the
target from your real IP address).
Instead, a unique side-channel attack
exploits predictable "IP fragmentation ID"
sequence generation on the zombie host to
glean information about the open ports on
the target. IDS systems will display the
scan as coming from the zombie machine you
specify (which must be up and meet certain
criteria). I wrote an informal paper
about this technique at http://www.inse- .

Besides being extraordinarily stealthy
(due to its blind nature), this scan type
permits mapping out IP-based trust rela-
tionships between machines. The port
listing shows open ports from the perspec-
tive of the zombie host. So you can try
scanning a target using various zombies
that you think might be trusted (via
router/packet filter rules). Obviously
this is crucial information when priori-
tizing attack targets. Otherwise, you
penetration testers might have to expend
considerable resources "owning" an inter-
mediate system, only to find out that its
IP isn't even trusted by the target
host/network you are ultimately after.

You can add a colon followed by a port
number if you wish to probe a particular
port on the zombie host for IPID changes.
Otherwise Nmap will use the port it uses
by default for "tcp pings".

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -