[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Idle scan rediscovered!!!
- To: Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Idle scan rediscovered!!!
- From: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
- Date: Fri, 5 May 2006 16:11:11 -0400
> 2. There seem to be something with ACK packets to exploit for
> idle-scanning:
>
> hping3 -A -r host -p 80
>
> Gives back exploitable incremental IPID on a Linux 2.6.15 box.
Are you sure? Just because the sequences are predictable or even
incremental for your source host doesn't mean it is exploitable. This
is old information, but I would assume it is still the case (until
someone presents hard evidence otherwise):
"One good approach is to use connection or peer-specific IPID sequences.
Solaris does this, and it severely limits the information attackers can
glean about other connections. Linux 2.4 also uses peer-specific IPID
values (see net/ipv4/inetpeer.c). In addition, Linux 2.4 zeros the IPID
fields in packets with the DF (Don't Fragment) bit set. After all, IP
defragmentation is the only critical use of the ID field. Another
approach (used by OpenBSD) is to randomize the IPID sequence. This is
difficult to get right -- be sure the sequence does not repeat and that
individual numbers will not be used twice in a short period."
This quote is taken from:
http://www.insecure.org/nmap/idlescan.html
So, if a host maintains a predictable sequence, but it maintains
independent sequences for each destination it sends packets to, then it
isn't exploitable. I haven't tested it in recent Linux kernels myself,
but I also haven't seen anyone present solid evidence to the contrary of
this older information.
thanks,
tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/