All,
Quick question. I was recently reading a blog post at
http://dmiessler.com/study/synpackets/ and realized I need to brush up on
which scanners out there on Windows & linux by default use raw vs connect()
packets. The issue is that raw socket packets have a differing length and
that many products are coded to look for raw socket packets (44 bytes) and
treat them differently than connect() packets (60 bytes). There are also
some cases where I want to use raw sockets for certain scan-types and not be
stuck with connect()'s and/or I want consistent results across scans
regardless if connect() or raw sockets are used.
On the linux side, anyone know which scanners modify the raw socket packet
creation to craft 60 byte packets to mimic exactly the typical connect()
packet to get around products which are smart enough to tell the difference
and change behaviors accordingly?
I know that with XP SP2 Microsoft removed raw sockets and there was a
workaround that was subsequently broken with MS05-019 & later patches, and
that 2k3 server you can still utilize raw sockets. What's the latest scoop
on windows scanners in this regard and the linux question above?
I could run the testing myself but wondered if list members already had the
jump on it. If not... Looks like I have some late nights ahead of me :)
--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
