Re: Port Scanning.

• Previous message: Keith Pachulski: "RE: VPN protocols"
• Maybe in reply to: Faisal Khan: "Port Scanning."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 22 Dec 2004 12:47:12 -0800
To: DWreck <dwr3ckmailbox-pentest@yahoo.com>

robert@dyadsecurity.com(robert@dyadsecurity.com)@Wed, Dec 22, 2004 at
> The only thing that isn't currently easy to do is TCP full connection
> payload injection from spoofed IP's. We're working on a way to do
> that though :).

I know it's bad form to follow up on your own post... What I was
talking about in the last email was a way to actually introduce the TCP
3-way handshake (connection) payload stimulous to the remote IP from a
spoofed source. This is currently difficult on modern stacks.

However, many IPS/IDS's don't keep track of state, and you can actually
get the PSH/ACK TCP payload to trigger many IPS's from spoofed sources
now. By skipping the 3-way-handshake, the remote IP will obviously not
treat it as part of an established connection, but if IPS trigger DoS
was your goal, who cares.

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@dyadsecurity.com
M - (949) 394-2033

• Previous message: Keith Pachulski: "RE: VPN protocols"
• Maybe in reply to: Faisal Khan: "Port Scanning."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]