Graphics Programs Reference
In-Depth Information
Christmas tree), and the Null scan sends a packet with no TCP flags set. While
these types of scans are stealthier, they can also be unreliable. For instance,
Microsoft's implementation of TCP doesn't send RST packets like it should,
making this form of scanning ineffective.
Using nmap, FIN, X-mas, and NULL scans can be performed using the
command-line options
-sF
,
-sX
, and
-sN
, respectively. Their output looks
basically the same as the previous scan.
0x473
Spoofing Decoys
Another way to avoid detection is to hide among several decoys. This technique
simply spoofs connections from various decoy IP addresses in between each
real port-scanning connection. The responses from the spoofed connections
aren't needed, since they are simply misleads. However, the spoofed decoy
addresses must use real IP addresses of live hosts; otherwise, the target may
be accidentally SYN flooded.
Decoys can be specified in nmap with the
-D
command-line option.
The sample nmap command shown below scans the IP 192.168.42.72, using
192.168.42.10 and 192.168.42.11 as decoys.
r
eader@hacking:~/booksrc $ sudo nmap -D 192.168.42.10,192.168.42.11 192.168.42.72
0x474
Idle Scanning
Idle scanning is a way to scan a target using spoofed packets from an idle
host, by observing changes in the idle host. The attacker needs to find a
usable idle host that is not sending or receiving any other network traffic and
that has a TCP implementation that produces predictable IP IDs that change
by a known increment with each packet. IP IDs are meant to be unique per
packet per session, and they are commonly incremented by a fixed amount.
Predictable IP IDs have never really been considered a security risk, and idle
scanning takes advantage of this misconception. Newer operating systems,
such as the recent Linux kernel, OpenBSD, and Windows Vista, randomize
the IP ID, but older operating systems and hardware (such as printers)
typically do not.
First, the attacker gets the current IP ID of the idle host by contacting it
with a SYN packet or an unsolicited SYN/ACK packet and observing the IP
ID of the response. By repeating this process a few more times, the incre-
ment applied to the IP ID with each packet can be determined.
Then, the attacker sends a spoofed SYN packet with the idle host's IP
address to a port on the target machine. One of two things will happen,
depending on whether that port on the victim machine is listening:
If that port is listening, a SYN/ACK packet will be sent back to the idle
host. But since the idle host didn't actually send out the initial SYN
packet, this response appears to be unsolicited to the idle host, and it
responds by sending back an RST packet.
·
If that port isn't listening, the target machine doesn't send a SYN/ACK
packet back to the idle host, so the idle host doesn't respond.
·
