Re: A Blind Ip Spoofed Portscanning Tool - How this should work ?

From: Paul Cardon (paul@moquijo.com)
Date: 07/23/01

• Previous message: EPiC: "Win32.Sircam.Worm Alert....."
• In reply to: Jan Wagner: "A Blind Ip Spoofed Portscanning Tool - How this should work ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <3B5C74DF.FFBC8A18@moquijo.com>
Date: Mon, 23 Jul 2001 15:02:55 -0400
From: Paul Cardon <paul@moquijo.com>
To: jan.wagner@de.tiscali.com
Subject: Re: A Blind Ip Spoofed Portscanning Tool - How this should work ?

Jan Wagner wrote:
>
> (From my point of knowlege)
> If you spoof a ip you are not able to get the response back, There is maybe!
> a way to get
> the respone by Loose Source Record Route (I am not sure) but i think it
> won´t work
> because of "No IP source Routing Option" on most routers.

It works by also sending packets to the spoofed system and noting IP ID
numbers which are usually changed by a fixed increment for each new
packet. When the spoofed server gets a SYN/ACK for a connection that it
didn't initiate, it will send back a reset which increments the IP ID
field in the IP header. The scanning tool is at:

        http://labs.defcom.com/releases/spoofer/spoofer.zip

-paul

---

• Previous message: EPiC: "Win32.Sircam.Worm Alert....."
• In reply to: Jan Wagner: "A Blind Ip Spoofed Portscanning Tool - How this should work ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)