Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Changing Source Port For Nmap Idle Scan

from [Joachim Schipper] Network Security [Permanent Link]
Subject: Re: Changing Source Port For Nmap Idle Scan
Date: Mon, 28 Mar 2005 21:02:08 +0200 
On Mon, Mar 28, 2005 at 02:50:47AM -0000, SecureHacK wrote:



Hello  I have a quick question I have been experimenting with idle scanning 
and I have read the paper on it and I have an understanding of what goes on 
during the process I am also an avid nmap user.What I am trying to figure out 
is is there anyway to change the port to use during the idle scan by default 
it's port 80 so using the -g option it should change the source port to 
whatever I want I have used this option but it still only uses port 80 is 
this changeable? For example find a machine with port 139 open could we 
change our source port to 139 and use that?

                                        Cheers


It's in TFMP (for 3.75 at least), see the following snippet (in
particular the last pararaph) from nmap(1):

       -sI <zombie host[:probeport]>
              Idlescan: This advanced scan method allows for a truly blind TCP
              port scan of the target (meaning no packets are sent to the tar-
              get  from your real IP address).  Instead, a unique side-channel
              attack exploits predictable "IP fragmentation ID" sequence  gen-
              eration  on  the zombie host to glean information about the open
              ports on the target.  IDS systems will display the scan as  com-
              ing  from  the  zombie machine you specify (which must be up and
              meet certain criteria).  I wrote an informal  paper  about  this
              technique at http://www.insecure.org/nmap/idlescan.html .

              Besides   being  extraordinarily  stealthy  (due  to  its  blind
              nature), this scan type permits mapping out IP-based trust rela-
              tionships  between  machines.  The port listing shows open ports
              from the perspective of the zombie host.  So you can  try  scan-
              ning  a  target  using  various  zombies that you think might be
              trusted (via router/packet filter  rules).   Obviously  this  is
              crucial  information  when  prioritizing attack targets.  Other-
              wise, you penetration testers might have to expend  considerable
              resources "owning" an intermediate system, only to find out that
              its IP isn't even trusted by the  target  host/network  you  are
              ultimately after.

              You  can  add  a  colon followed by a port number if you wish to
              probe a particular port on the zombie  host  for  IPID  changes.
              Otherwise  Nmap  will  use  the port it uses by default for "tcp
              pings".

Good luck,

                Joachim
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Changing Source Port For Nmap Idle Scan, SecureHacK
Next by Date:  Nessus Plugins, Dan Tesch
Previous by Thread:  Changing Source Port For Nmap Idle Scan, SecureHacK
Next by Thread:  RE: Changing Source Port For Nmap Idle Scan, Omar Herrera
Indexes:  [Date] [Thread] [Top] [All Lists]