Re: [Full-disclosure] Spoof tricks & Tips ?



Hello Mark Sec,


> Well, im testing a servers and i need to scan all the ports evading IDS ,
> IPS, i dont want to see my IP real


Try reading your documentation more thoroughly.


~> man nmap
...
-sI <zombie host[:probeport]>
Idlescan: This advanced scan method allows
for a truly blind TCP port scan of the
target (meaning no packets are sent to the
target from your real IP address).
Instead, a unique side-channel attack
exploits predictable "IP fragmentation ID"
sequence generation on the zombie host to
glean information about the open ports on
the target. IDS systems will display the
scan as coming from the zombie machine you
specify (which must be up and meet certain
criteria). I wrote an informal paper
about this technique at http://www.inse-
cure.org/nmap/idlescan.html .

Besides being extraordinarily stealthy
(due to its blind nature), this scan type
permits mapping out IP-based trust rela-
tionships between machines. The port
listing shows open ports from the perspec-
tive of the zombie host. So you can try
scanning a target using various zombies
that you think might be trusted (via
router/packet filter rules). Obviously
this is crucial information when priori-
tizing attack targets. Otherwise, you
penetration testers might have to expend
considerable resources "owning" an inter-
mediate system, only to find out that its
IP isn't even trusted by the target
host/network you are ultimately after.

You can add a colon followed by a port
number if you wish to probe a particular
port on the zombie host for IPID changes.
Otherwise Nmap will use the port it uses
by default for "tcp pings".
...



tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: IP ranges used in North America, Hawaii, and Alaska?
    ... You're showing IPs in the 84.53.144.x range. ... Akamai seems to have divided that range into six ... software updates to streaming video) from servers they have scattered ... >Just wanted to report back with the IPs, now that I am sure they are not ...
    (comp.os.linux.security)
  • Re: forwarding & query-source (was Re: name caching and forwarding)
    ... queries from all the IPs on my system. ... and other servers' configuration - not only DNS, if you want e.g. your mail ... able to resolve addresses because the forwarder wasn't responding.... ...
    (comp.protocols.dns.bind)
  • Re: IP ranges used in North America, Hawaii, and Alaska?
    ... Blocked the IPs right away. ... (also in Northern California but with servers world wide). ... >how come the default setting for encoding is now Western European ISO ... ... uses languages other than English, and many languages use other character ...
    (comp.os.linux.security)
  • Re: IP numbers
    ... And what would I want a block of IPs for? ... Remote management of routers is possible if you have a static IP address - good if you support customers. ... If you run a mail server and want to receive mail by SMTP then a static IP address is essential. ... If you want to run other servers that are publicly available, then each of those servers might benefit from having its own public IP address. ...
    (uk.telecom.broadband)
  • Re: [PS3] First night with Demons Souls
    ... need which makes the game harder..... ... Asian servers are still going strong, ... your level dont try, I have soul ray and flame toss, I have Flame ... special souls for the spellbrandt sword we all desaparetly want..but ...
    (uk.games.video.misc)