73-997563179
Aug 23 2001, 04:09 PM
A new method to port scan remote hosts has been discovered. A malicious user can repeatedly "ping" a 3rd party computer and monitor the initial sequence number returned by this 3rd party computer. The initial sequence number is a number given to the initial communication by the remote host. So a sequence in the communication protocol will be maintained and lost packets are discovered.
This way, the user can port scan a remote site (other than the 3rd party computer) and cause the remote site to think that the scan originated from the 3rd party computer.A tool called "hping" doesn't actually send ICMP packets (The standard packet sent by the ping program), but rather a TCP packet with special flags. This program listens to the returning packets and decides whether the TCP port is open or closed at the destination computer, or whether the TCP port is allowed by the router's ACL but not open at the destination computer. This is not 100% accurate, but can very well do the effect of port scan.
Malicious user can monitor the initial sequence given by the remote computer and assume by the incremental change of this sequence number, the amount of outgoing / incoming packet that the remote computer received.
This way, by hpinging a silent computer (a computer which receives no other transmissions besides those sent by the malicious user) with spoofed packets, it is possible to know the result of the TCP port scan by observing the change in the sequence number. This causes the effect of "bouncing" the port scan off the "silent" computer.
Usually the sequence number changes by 1 for each incoming packet (If you are the only computer communicating with the remote computer) but if another computer sends information to the same computer, the change will be greater than 1, usually showing up as a big shift in the sequence numbers. However, since other factors might change the sequence number (other communication to that machine), this port scan is not 100% accurate.
To better explain what is going on while the remote computer is being scanned we will give an example of such a scan.
Host A - The malicious host.
Host B - The silent host (A host whose network activity are zero). This can be just any host on the Internet that we want to "frame" the port scan on.
Host C - The target.
Part one of the scan, Host A monitors Host B's network activities by checking the increments of Host B's sequence number, i.e. executing "hping B -r", this in turn gives the following demo output:
HPING B (eth0 www.xxx.yyy.zzz): no flags are set, 40 data bytes
60 bytes from www.xxx.yyy.zzz: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms
As you can see by the results, Host B is a silent host (also refereed as 'zero traffic' host), where its incremental change of the sequence number is 1 (this change is affected by the amount of traffic the remote host received, which is one packet, our monitoring packet). This makes our host a perfect candidate to use as gateway for our spoofed port scan.
We'll now send a spoofed SYN packet to port X of Host C, using the source address of Host B.
If port X is open on Host C, Host C will send back to a SYN packet to Host B and an ACK packet, forcing Host B to send back a RST packet to Host C.
The RST packet is sent because Host B knows he didn't initiate this conversation and he sends Host C a packet letting him know he doesn't want to continue the conversation - an RST packet.
The sending of an RST packet to Host C causes Host B's initial sequence number to change dramatically (from the "standard" 1 to something bigger).
Monitoring Host B's sequence numbers will of course show this.
Using the command "hping B -r", the different result is shown:
60 bytes from www.xxx.yyy.zzz: flags=RA seq=17 ttl=64 id=+1 win=0 time=96 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=18 ttl=64 id=+1 win=0 time=80 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=19 ttl=64 id=+2 win=0 time=83 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=20 ttl=64 id=+3 win=0 time=94 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=21 ttl=64 id=+1 win=0 time=92 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=22 ttl=64 id=+2 win=0 time=82 ms
If the port X is not open on Host C, no reply will be sent to Host B, causing no noticeable change in the initial sequence number as show here:
60 bytes from www.xxx.yyy.zzz: flags=RA seq=52 ttl=64 id=+1 win=0 time=85 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=53 ttl=64 id=+1 win=0 time=83 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=54 ttl=64 id=+1 win=0 time=93 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=55 ttl=64 id=+1 win=0 time=74 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=56 ttl=64 id=+1 win=0 time=95 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=57 ttl=64 id=+1 win=0 time=81 ms
Some operating systems can not be used as a silent host in this scan because of the way they increment the initial sequence number.
A patch for Linux, that prevents a Linux machine from being used as a silent computer, follows: ------------------------------------------------------------------------------ --- ip_output.c. Fri Apr 17 16:42:38 1998 +++ ip_outout.c.patched Fri Apr 17 17:17:15 1998 at at -32,2 +32,3 at at * Juan-Mariano de Goyeneche traffic generated locally. - */ + * awgn roofing: to prevent _ip abuse_ as third in hscan. + */ at at -42,4 +42,5 at at #include #include +#include
#include at at -451,3 +451,4 at at { + u_char rand_step; unsigned int tot_len; struct iphdr *iph; at at -485,3 +485,5 at at case 1: iph->id = htons(ip_id_count++); + (void) get_random_bytes(&rand_step,1); + ip_id_count += ( rand_step & 0x0f ); } at at -637,3 +637,4 at at { + u_char rand_step; struct rtable *rt; unsigned int fraglen, maxfraglen, fragheaderlen; at at -754,4 +754,6 at at iph->id=htons(ip_id_count++); + (void) get_random_bytes(&rand_step,1); + ip_id_count += ( rand_step & 0x0f ); iph->frag_off = 0; iph->ttl=sk->ip_ttl; iph->protocol=type;
------------------
Interceptor
Jun 14 2002, 10:03 AM
A new method to port scan remote hosts has been discovered. A malicious user can repeatedly "ping" a 3rd party computer and monitor the initial sequence number returned by this 3rd party computer. The initial sequence number is a number given to the initial communication by the remote host. So a sequence in the communication protocol will be maintained and lost packets are discovered.
This way, the user can port scan a remote site (other than the 3rd party computer) and cause the remote site to think that the scan originated from the 3rd party computer.A tool called "hping" doesn't actually send ICMP packets (The standard packet sent by the ping program), but rather a TCP packet with special flags. This program listens to the returning packets and decides whether the TCP port is open or closed at the destination computer, or whether the TCP port is allowed by the router's ACL but not open at the destination computer. This is not 100% accurate, but can very well do the effect of port scan.
Malicious user can monitor the initial sequence given by the remote computer and assume by the incremental change of this sequence number, the amount of outgoing / incoming packet that the remote computer received.
This way, by hpinging a silent computer (a computer which receives no other transmissions besides those sent by the malicious user) with spoofed packets, it is possible to know the result of the TCP port scan by observing the change in the sequence number. This causes the effect of "bouncing" the port scan off the "silent" computer.
Usually the sequence number changes by 1 for each incoming packet (If you are the only computer communicating with the remote computer) but if another computer sends information to the same computer, the change will be greater than 1, usually showing up as a big shift in the sequence numbers. However, since other factors might change the sequence number (other communication to that machine), this port scan is not 100% accurate.
To better explain what is going on while the remote computer is being scanned we will give an example of such a scan.
Host A - The malicious host.
Host B - The silent host (A host whose network activity are zero). This can be just any host on the Internet that we want to "frame" the port scan on.
Host C - The target.
Part one of the scan, Host A monitors Host B's network activities by checking the increments of Host B's sequence number, i.e. executing "hping B -r", this in turn gives the following demo output:
HPING B (eth0 www.xxx.yyy.zzz): no flags are set, 40 data bytes
60 bytes from www.xxx.yyy.zzz: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms
As you can see by the results, Host B is a silent host (also refereed as 'zero traffic' host), where its incremental change of the sequence number is 1 (this change is affected by the amount of traffic the remote host received, which is one packet, our monitoring packet). This makes our host a perfect candidate to use as gateway for our spoofed port scan.
We'll now send a spoofed SYN packet to port X of Host C, using the source address of Host B.
If port X is open on Host C, Host C will send back to a SYN packet to Host B and an ACK packet, forcing Host B to send back a RST packet to Host C.
The RST packet is sent because Host B knows he didn't initiate this conversation and he sends Host C a packet letting him know he doesn't want to continue the conversation - an RST packet.
The sending of an RST packet to Host C causes Host B's initial sequence number to change dramatically (from the "standard" 1 to something bigger).
Monitoring Host B's sequence numbers will of course show this.
Using the command "hping B -r", the different result is shown:
60 bytes from www.xxx.yyy.zzz: flags=RA seq=17 ttl=64 id=+1 win=0 time=96 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=18 ttl=64 id=+1 win=0 time=80 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=19 ttl=64 id=+2 win=0 time=83 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=20 ttl=64 id=+3 win=0 time=94 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=21 ttl=64 id=+1 win=0 time=92 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=22 ttl=64 id=+2 win=0 time=82 ms
If the port X is not open on Host C, no reply will be sent to Host B, causing no noticeable change in the initial sequence number as show here:
60 bytes from www.xxx.yyy.zzz: flags=RA seq=52 ttl=64 id=+1 win=0 time=85 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=53 ttl=64 id=+1 win=0 time=83 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=54 ttl=64 id=+1 win=0 time=93 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=55 ttl=64 id=+1 win=0 time=74 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=56 ttl=64 id=+1 win=0 time=95 ms
60 bytes from www.xxx.yyy.zzz: flags=RA seq=57 ttl=64 id=+1 win=0 time=81 ms
Some operating systems can not be used as a silent host in this scan because of the way they increment the initial sequence number.
A patch for Linux, that prevents a Linux machine from being used as a silent computer, follows: ------------------------------------------------------------------------------ --- ip_output.c. Fri Apr 17 16:42:38 1998 +++ ip_outout.c.patched Fri Apr 17 17:17:15 1998 at at -32,2 +32,3 at at * Juan-Mariano de Goyeneche traffic generated locally. - */ + * awgn roofing: to prevent _ip abuse_ as third in hscan. + */ at at -42,4 +42,5 at at #include #include +#include
#include at at -451,3 +451,4 at at { + u_char rand_step; unsigned int tot_len; struct iphdr *iph; at at -485,3 +485,5 at at case 1: iph->id = htons(ip_id_count++); + (void) get_random_bytes(&rand_step,1); + ip_id_count += ( rand_step & 0x0f ); } at at -637,3 +637,4 at at { + u_char rand_step; struct rtable *rt; unsigned int fraglen, maxfraglen, fragheaderlen; at at -754,4 +754,6 at at iph->id=htons(ip_id_count++); + (void) get_random_bytes(&rand_step,1); + ip_id_count += ( rand_step & 0x0f ); iph->frag_off = 0; iph->ttl=sk->ip_ttl; iph->protocol=type;