Graphics Programs Reference
In-Depth Information
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
MAC Address: 00:01:6C:EB:1D:50 (Foxconn)
Nmap finished: 1 IP address (1 host up) scanned in 1.462 seconds
matrix@euclid:~ $
FIN Scan After the Kernel Modification
matrix@euclid:~ $ sudo nmap -T5 -sF 192.168.42.72
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-03-17 16:58 PDT
Interesting ports on 192.168.42.72:
Not shown: 1678 closed ports
PORT STATE SERVICE
MAC Address: 00:01:6C:EB:1D:50 (Foxconn)
Nmap finished: 1 IP address (1 host up) scanned in 1.462 seconds
matrix@euclid:~ $
This works fine for scans that rely on RST packets, but preventing infor-
mation leakage with SYN scans and full-connect scans is a bit more difficult.
In order to maintain functionality, open ports have to respond with SYN/ACK
packets—there is no way around that. But if all of the closed ports also
responded with SYN/ACK packets, the amount of useful information an
attacker could retrieve from port scans would be minimized. Simply opening
every port would cause a major performance hit, though, which isn't desirable.
Ideally, this should all be done without using a TCP stack. The following pro-
gram does exactly that. It's a modification of the rst_hijack.c program, using
a more complex BPF string to filter only SYN packets destined for closed ports.
The callback function spoofs a legitimate looking SYN/ACK response to any
SYN packet that makes it through the BPF. This will flood port scanners with
a sea of false positives, which will hide legitimate ports.
shroud.c
#include <libnet.h>
#include <pcap.h>
#include "hacking.h"
#define MAX_EXISTING_PORTS 30
void caught_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
int set_packet_filter(pcap_t *, struct in_addr *, u_short *);
struct data_pass {
int libnet_handle;
u_char *packet;
};
int main(int argc, char *argv[]) {
struct pcap_pkthdr cap_header;
const u_char *packet, *pkt_data;
pcap_t *pcap_handle;
