Port scan using zombies.
ABOUT! Dug out an interesting thing. All of you probably know that hacking often begins with port scanning. However, often with port scanning begins not only hacking.
For port scanning, for example, a tool called nmap is used. This is a console utility that can detect open ports. And also guess what the OS is on the attacked (scanned) machine.
So ...
I used it the other day, and I found the possibility of hidden scanning using a zombie machine.
What is the focus here - not a single packet containing the scanning address comes to the scanned machine. And this is awesome! The attack is very beautiful. I do not really understand much about how TCP / IP works, but I don’t need to know much here. Here is a description of the attack - nmap.org/book/idlescan.html
Briefly tell how it works -
When a TCP packet comes to the machine to establish a connection (it is called SYN (session establishment)), the machine can answer either SYN / ASK - that is, accept the connection, or answer RST - that is, reject it.
When a machine receives a SYN / ASK packet which it does not wait for, it responds to RST, and when it receives an RST, it answers nothing.
Also, on the Internet (IP networks), you can send a packet with any return address. It is clear that the answer to it should not be expected, this answer will go to a fake return address.
And the last - that actually allows the attack. Most systems number ALL IP packets in a row, regardless of the recipient. Packages must be numbered so that the recipient can collect them in the correct order upon arrival.
The fact that the packets are numbered in a row means that you can find out how many packets were sent by computer B between two requests from computer A to it.
How is the attack -
There are 2 cars - A, C. Machine A wants to secretly scan C. For this, she randomly selects any weakly loaded “zombie” car on the Internet - B. She sends her an IP packet and finds out the IPID of this machine.
Now she sends the SYN to machine C, but does the return address to B.
Then there are 2 options.
1. The port on machine C is open, and it sends the answer (and it is sent to machine B) - SYN / ASK. Machine B responds to her RST, since it does not wait for the connection, and generally hears about it for the first time. But its IPID increases by 1.
2. The port on the machine C is closed, and that sends RST, again machine B (about And she does not know anything at all). Machine B as it should be, according to the rules, ignores this packet and its IPID does not increase.
')
Now the malicious, pimply and unwashed hacker can send another IP packet to machine B and receive a response in which there is a new IPID of machine B. If it differs from the first request by 1, then the port on machine C is closed. And if on 2 - that is open! So that!
Note machine B - did not get infected with anything, and machine C did not receive one hint of the one who didn’t actually scan it.
In the English article on the reference there are wonderful pictures, for those who do not understand anything, but who are interested. And there is a picture of how the RIAA was scanned. It's right. RIAA should die.
For port scanning, for example, a tool called nmap is used. This is a console utility that can detect open ports. And also guess what the OS is on the attacked (scanned) machine.
So ...
I used it the other day, and I found the possibility of hidden scanning using a zombie machine.
What is the focus here - not a single packet containing the scanning address comes to the scanned machine. And this is awesome! The attack is very beautiful. I do not really understand much about how TCP / IP works, but I don’t need to know much here. Here is a description of the attack - nmap.org/book/idlescan.html
Briefly tell how it works -
When a TCP packet comes to the machine to establish a connection (it is called SYN (session establishment)), the machine can answer either SYN / ASK - that is, accept the connection, or answer RST - that is, reject it.
When a machine receives a SYN / ASK packet which it does not wait for, it responds to RST, and when it receives an RST, it answers nothing.
Also, on the Internet (IP networks), you can send a packet with any return address. It is clear that the answer to it should not be expected, this answer will go to a fake return address.
And the last - that actually allows the attack. Most systems number ALL IP packets in a row, regardless of the recipient. Packages must be numbered so that the recipient can collect them in the correct order upon arrival.
The fact that the packets are numbered in a row means that you can find out how many packets were sent by computer B between two requests from computer A to it.
How is the attack -
There are 2 cars - A, C. Machine A wants to secretly scan C. For this, she randomly selects any weakly loaded “zombie” car on the Internet - B. She sends her an IP packet and finds out the IPID of this machine.
Now she sends the SYN to machine C, but does the return address to B.
Then there are 2 options.
1. The port on machine C is open, and it sends the answer (and it is sent to machine B) - SYN / ASK. Machine B responds to her RST, since it does not wait for the connection, and generally hears about it for the first time. But its IPID increases by 1.
2. The port on the machine C is closed, and that sends RST, again machine B (about And she does not know anything at all). Machine B as it should be, according to the rules, ignores this packet and its IPID does not increase.
')
Now the malicious, pimply and unwashed hacker can send another IP packet to machine B and receive a response in which there is a new IPID of machine B. If it differs from the first request by 1, then the port on machine C is closed. And if on 2 - that is open! So that!
Note machine B - did not get infected with anything, and machine C did not receive one hint of the one who didn’t actually scan it.
In the English article on the reference there are wonderful pictures, for those who do not understand anything, but who are interested. And there is a picture of how the RIAA was scanned. It's right. RIAA should die.
Source: https://habr.com/ru/post/40413/
All Articles