.

Port Scan from random Source IP's

<<

scuccii

Newbie
Newbie

Posts: 17

Joined: Mon Sep 27, 2010 9:41 pm

Post Thu Oct 21, 2010 9:26 am

Port Scan from random Source IP's

I've read about Dynamic port scanning, but the I thought that the spoofed IP's needed to be within the same subnet? Cany anyone help me out here?

thanks
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Oct 21, 2010 9:51 pm

Re: Port Scan from random Source IP's

NMAP has a variety of spoofing and IDS evasion options available.  They are very well documented here:

http://nmap.org/book/man-bypass-firewalls-ids.html

In general, if you want to spoof an IP address, you have to have control of that address in order for you to get a reply.  This is just due to the design of the TCP/IP protocol suite.  You don't always care if the spoofed packets come back to you.  Sometimes, you just want to flood the IDS with a bunch of random sources masking the actual port scan.  A really stupid IDS will make it difficult for the operator to detect your port scan.
~~~~~~~~~~~~~~
Ketchup
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Fri Oct 22, 2010 8:33 am

Re: Port Scan from random Source IP's

Idle scanning is useful for detection evasion. You don't actually need to receive the replies from your scans as long as you've identified a nice quiet host to spoof and you don't have to control that address either, but you will need access to it.

http://nmap.org/book/idlescan.html
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

hell_razor

User avatar

Jr. Member
Jr. Member

Posts: 90

Joined: Wed Jul 14, 2010 10:44 am

Post Fri Oct 22, 2010 9:56 am

Re: Port Scan from random Source IP's

tturner - why do you need access to the idle host?  I think you just need to have an open tcp port to use for the idle scan to increment the IP ID, but you don't need anything further.  Or did I misunderstand and you meant access as being such?
A+, Network+, Server+, CISSP, GSEC, GCIH, GPEN, GCIA, GISP, GCFW
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Fri Oct 22, 2010 10:05 am

Re: Port Scan from random Source IP's

By "access"  i guess tturner meant network access to the idle host... Otherwise the change in the sequence no cannot be realized by the attacking host..
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Fri Oct 22, 2010 10:35 am

Re: Port Scan from random Source IP's

I mean network access. Meaning you can't target a host behind a NAT'd firewall and use another spoofed host on that same network unless you can directly communicate with it. You absolutely do not need any kind of privileged access.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software