Graphics Programs Reference
In-Depth Information
0x475 Proactive Defense (shroud)
Port scans are often used to profile systems before they are attacked. Know-
ing what ports are open allows an attacker to determine which services can
be attacked. Many IDSs offer methods to detect port scans, but by then the
information has already been leaked. While writing this chapter, I wondered
if it is possible to prevent port scans before they actually happen. Hacking,
really, is all about coming up with new ideas, so a newly developed method
for proactive port-scanning defense will be presented here.
First of all, the FIN, Null, and X-mas scans can be prevented by a simple
kernel modification. If the kernel never sends reset packets, these scans will
turn up nothing. The following output uses
grep
to find the kernel code
responsible for sending reset packets.
reader@hacking:~/booksrc $ grep -n -A 20 "void.*send_reset" /usr/src/linux/net/ipv4/tcp_ipv4.c
547:static void tcp_v4_send_reset(struct sock *sk, struct sk_buff *skb)
548-{
549- struct tcphdr *th = skb->h.th;
550- struct {
551- struct tcphdr th;
552-#ifdef CONFIG_TCP_MD5SIG
553- __be32 opt[(TCPOLEN_MD5SIG_ALIGNED >> 2)];
554-#endif
555- } rep;
556- struct ip_reply_arg arg;
557-#ifdef CONFIG_TCP_MD5SIG
558- struct tcp_md5sig_key *key;
559-#endif
560-
return; // Modification: Never send RST, always return.
561- /* Never send a reset in response to a reset. */
562- if (th->rst)
563- return;
564-
565- if (((struct rtable *)skb->dst)->rt_type != RTN_LOCAL)
566- return;
567-
reader@hacking:~/booksrc $
By adding the
return
command (shown above in bold), the
tcp_v4_send_reset()
kernel function will simply return instead of doing
anything. After the kernel is recompiled, the resulting kernel won't send
out reset packets, avoiding information leakage.
FIN Scan Before the Kernel Modification
matrix@euclid:~ $ sudo nmap -T5 -sF 192.168.42.72
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-03-17 16:58 PDT
Interesting ports on 192.168.42.72:
Not shown: 1678 closed ports
