[23083] in bugtraq
IP ID could allow to scan a masquerade network.
daemon@ATHENA.MIT.EDU (Elie aka \"Lupin\" Bursztein)
Thu Nov 8 23:08:27 2001
Message-Id: <5.1.0.14.0.20011105165813.00a905b8@mail.imagorama.com>
Date: Mon, 05 Nov 2001 17:20:43 -0800
To: bugtraq@securityfocus.com
From: "Elie aka \"Lupin\" Bursztein" <elie@bursztein.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Hello,
I was working on a new implementation of the IPID scann (also known has
idle scan in the nmap man page or pixie-scan as i call it)
During my test I think I discover a new way to use this type of scan :
Synopsis
-------------
Using the gateway of a masquerade network as a witness (relay host) for the
Pixie-scan,
allow remote scanning of the private network.
Details
-----------
On some stack implementation the IP ID field is incremental so by sending a
spoofed SYN
packet to the gatway from a private network box and by comparing after the
IP ID value
you could remotely know witch service are open on this intranet computer
even if this one is masquerade.
Of course the pixie-scan is a well known technique but this is this
utilisation that is new.
For more detail about the pixie-scan i have written a paper witch will be
available around tomorow
evening at the following url : http://www.bursztein.net/secu/pixie.html
Affected version
-----------------------
I have tested the pixie-scan against with success :
- Win 2K service pack
- 3com Netbuilder
unsuccessfull attempt :
- Linux 2.4.x
sincerly,
Elie aka "Lupin" Bursztein
___________________________
icq : 32228319
mail : secu@bursztein.net
web : www.bursztein.net/secu
___________________________
"He feel safe and at this very moment, i was lost... "
