RE: ICMP (Ping)

From: Jay Woody (jay_woody_at_tnb.com)
Date: 09/05/03

  • Next message: by way of SeSMA: "CISSPS preparation" 
    Date: Fri, 05 Sep 2003 16:29:59 -0500
To: <chatmaster@charter.net>

    >> What purpose would seeing a response from a ping serve to a
    >> kiddy looking to deface web sites? If they are going to attack
    >> you randomly, why do you assume that they would stop to
    >> think when they are blindly attacking networks/ips anyway?

    Here is how it works again. They scan a range and then go back and run
    a port scan/vuln scan against what replies. They don't run vuln scans
    randomly against ranges, they run ping sweeps randomly against ranges,
    those that reply get more attention. So how would not replying help?
    Well by getting less attention obviously. They aren't "blindly
    attacking networks/ips anyway". They are blindly scanning or sweeping
    networks/ips through the use of pings. They are not so blindly (but
    almost) running a port scan those that reply. Then they are running a
    vuln scan against the boxes that just told them they were a certain OS,
    etc.

    >> Running a scanner to look for open ports of vulnerabilities
    >> in services, as not going to change because you don't reply
    >> to ping requests. Those scans will check the ports and
    >> services on said IP--not give up if it can't get a ping
    >> response.

    Man, dude, where do I start on this one? :) Yes, running something
    like that would behave exactly as you describe (I think). However, that
    isn't at all what anyone has said. Again, they "scan" the ADDRESSES in
    a range for a simple reply and then run a port scan/vuln scan against
    those that reply. Your point is that if they don't respond to pings,
    they likely won't respond to vuln scans. The script kiddies say the
    same thing in reverse. If you respond to a ping you likely will give up
    more information if asked. Again, they scan the range for replies and
    then run a port scan/vuln scan against the replies for more info. They
    don't blindly run a vuln scan against a range. That would be even more
    stupid and waste time.

    >> And that doesn't relate to the type of attacks being
    >> discussed. That's another, less serious issue anyway.

    Uh, OK. The question was should your devices reply. There is not an
    ATTACK there. The statement was that no, they shouldn't because then
    you get more interest from the kiddies. You said no you don't and I
    said yes you do. Haven't heard about any attack mentioned at all.
    Also, if you think having your web page defaced is not serious, then ask
    Nike how much the press hurt them and ask Microsoft how much money they
    spend on making sure it doesn't happen to them. If you are a seller,
    then having your web page defaced and pointing people to a site that
    gathers their credit card numbers would be decently serious I would
    think.

    >> No, they'd probe for vulnerabilities by domain or IP, the
    >> ping response plays no role in that situation.

    If they are probing for vulnerabilities by domain (and I am not 100%
    sure what you mean there), then they are retarded. I said that they
    deface the web page and move on and you reply that they scan for vulns
    by domain. Again, the ping response plays a HUGE role. They ping a
    group of addresses, if you don't respond they move the FREAK ON. If you
    do, they run a port scan, then a vuln scan against you. By not
    replying, you stop the kiddies from looking (in addition to many of the
    other DDoS issues mentioned already). "[T]hey'd probe for
    vulnerabilities . . . IP", yep, exactly and where did they get the IP
    address? By the freaking ping reply. No reply, less attempts. I am
    just not saying it right or something, so help me see where we are
    missing it.

    >> That is irrelevant.

    Then your point is irrelevant, because I was agreeing with your point.
    Sure, some people see a site and say, "I want to hack that particular
    company." 99% don't. They say, I want to hack 40 sites in a week. I
    don't give a crap who, so let's see who replies.

    >>True. You're either vulnerable or not. But it depends on the
    >> type of attack and on what service or protocol.

    And if you don't reply to pings then 90% of the kiddies never even try
    to find out what will work against you.

    >> No it doesn't. Skripties are stupid by nature. They hit
    >> blindly with the scanners, the scanners don't give up if
    >> there's no ping response,

    See, here is where you keep missing it. They DO NOT blindly run vuln
    scans. They blindly run Ping sweeps. They scan a range and see who
    replies and then they run the port scan that you describe against just
    those areas that replied. Then they run the vuln scan against just
    those addressed that replied and that have a certain OS, etc. That is
    well known. So either you are saying they run vuln scans against huge
    ranges, which isn't true or you are saying that ping sweeps or scans
    will still document you when you don't reply, which is also not true.
    They don't run an in depth scan until they see if you are alive or not.
    If you are not alive, why waste their time, there are plenty of people
    that are. I run Zone Alarm at home. They ping me and I don't reply,
    now they could run a suite of vuln scans against me and an hour or more
    to see what is turned up OR they could move to next door neighbors PC
    where the password is password. They just move on. They are looking
    for the slow, stupid ones on the fringe to gobble up. If you don't
    reply to a ping, most script kiddies will simply move on. That has been
    the opinion espoused by a great majority of responders to this thread,
    so I am obviously not the only one that feels this way.

    >> they are busy checking to see what's running on the various
    >> ports that particular scanner scans. It's almost contradictive
    >> to use script kiddie and 'dig deeper' in the same sentence.

    Not if you didn't reply to a ping they don't. Think about it man. If
    you ping sweep a range of 255 addresses and 20 respond and you are a
    little kiddie, you are going to focus on those 20, crack 5 quickly and
    go brag about it. You are not going to kick off your favorite little
    vuln scanner against addresses that "aren't up" in the hopes that maybe
    one is, spend all night dicking with that one and then having nothing to
    brag about. It is a numbers game. They want to be able to say they
    cracked X number last night. Not that they spent all night scanning a
    range and then finding out that indeed there really were no other boxes
    there.

    >> But they aren't looking for boxes that reply to ping requests,
    >> they hit the IP on various ports to check to see if that port/
    >> service responds and with what.

    I am beginning to think you are screwing with me now. Surely you have
    downloaded one of these things. They don't do that at all. They first
    sweep a range and gather addresses. Then they compile that in a list.
    Then they run their port scan/vuln scan against each of those IPs and
    THAT scanner is what looks for ports, weak passwords, etc. The point
    being made here, over and over, is that if you are not one of the
    addresses on the list, then the scanner isn't run against you. How do
    you stay off of the list? Well, how did you get on it? You responded
    to a ping. No response equals less kiddie attacks. Period. Less
    script kiddie attacks means more time to get the vulns patched and less
    of a chance that a bonehead move gets you compromised.

    >> Like I said, a dumb ass script kiddie will hit the ports
    >> checking the services for vulnerable services. Ping
    >> response or not makes absolutely no difference.

    And like I said, it absolutely does. They are not doing random port
    scans. They are doing random PING SWEEPS and then doing semi-random
    port scans on those that REPLY. Then running specific vuln scans on
    boxes that replied as needed to the port scans. You seem to think they
    just jump right into the port scanning world and they just don't. Why
    run a port scan against a non-existent box? It is just a waste of your
    time. They don't.

    >> It's either going to happen or not, random or targeted.
    >> If it's random, you'll be hit and probed anyway (being an
    >> attach or probe). If it's not random, well, we all know the
    >> answer.

    If they were running port scans, you might be right, but again, they
    don't until you first let them know there is a box there to run one
    against. No box, no port scan. No ping, no box to them. On to the
    next range.

    >> I don't see the point to that side of this debate.

    Cause you aren't trying. You are just insisting that the process
    starts in the middle. It doesn't. It starts at the beginning and that
    is the ping sweep. If I were you, I would try to understand that side
    seeing as how a great majority of the posters have thus far espoused the
    same idea. You seem to be under the impression that a kiddie's first
    tool is his port scanner and it isn't. It is his ping sweeper. THAT
    produces the list that he uses for everything else. Again, not 100% of
    the time, but 90-95% of it. My 2 cents. Maybe that clarifies it.

    JayW

    >>> Tim Greer <chatmaster@charter.net> 09/05/03 03:18PM >>>
    On Fri, 2003-09-05 at 07:42, Jay Woody wrote:
    > See, now I have to disagree here. I'll use web page defacements as
    an
    > example. Script Kiddies showed that they did not care who or what
    they
    > were targeting 90% of the time.

    What purpose would seeing a response from a ping serve to a kiddy
    looking to deface web sites? If they are going to attack you
    randomly,
    why do you assume that they would stop to think when they are blindly
    attacking networks/ips anyway?

    > They just scan a range and whoever
    > replied they ran a vuln scanner against.

    Running a scanner to look for open ports of vulnerabilities in
    services,
    as not going to change because you don't reply to ping requests.
    Those
    scans will check the ports and services on said IP--not give up if it
    can't get a ping response.

    > If they could get in and
    > "hack" the web page, they would.

    And that doesn't relate to the type of attacks being discussed.
    That's
    another, less serious issue anyway.

    > They'd get their "message" out and
    > move on.

    No, they'd probe for vulnerabilities by domain or IP, the ping
    response
    plays no role in that situation.

    > Did some target pro-Israeli sites, etc.? Of course, but many
    > more were just companies that replied and then had a vuln scan ran
    > against them.

    That is irrelevant.

    > Here is what it boils down to in my opinion, in the case of a
    > determined hacker that wants you and no one else, then obviously
    > blocking pings ain't gonna cut it.

    True. You're either vulnerable or not. But it depends on the type of
    attack and on what service or protocol.

    > However, in the case of script
    > kiddies that just scan a range and hit who replies, then blocking
    pings
    > stops about 95% of them from even going any deeper.

    No it doesn't. Skripties are stupid by nature. They hit blindly with
    the scanners, the scanners don't give up if there's no ping response,
    they are busy checking to see what's running on the various ports that
    particular scanner scans. It's almost contradictive to use script
    kiddie and 'dig deeper' in the same sentence.

    > I heard one say (I
    > think it was Hackweiser) that if someone didn't reply, why keep
    looking
    > at them, there were plenty of other boxes that would reply.

    But they aren't looking for boxes that reply to ping requests, they
    hit
    the IP on various ports to check to see if that port/service responds
    and with what.

    > If all you
    > care is to try and hack 400 boxes, then why waste time? Just hit
    the
    > ones that are easy and come back to the hard ones.

    Like I said, a dumb ass script kiddie will hit the ports checking the
    services for vulnerable services. Ping response or not makes
    absolutely
    no difference. It's either going to happen or not, random or targeted.

    If it's random, you'll be hit and probed anyway (being an attach or
    probe). If it's not random, well, we all know the answer. I don't
    see
    the point to that side of this debate. 

    -- 
Tim Greer <chatmaster@charter.net>
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
  • Next message: by way of SeSMA: "CISSPS preparation"