cyberwart

The concept of idle scanning has been around for quite a while. I’m not sure how many people really understand it, but the basic principal is to send a syn packet to a target host with a spoofed the source IP of an idle host watch the IPID field. Generally the IPID increments by one every time a host gets a packet. If a host is known idle, than the IPID increases by one if the target responds with a syn-ack to the packet. The details of this can be found at http://insecure.org/nmap/idlescan.html

However, it’s been my experience that most hosts are very seldom really idle. Far more often they tend to be almost idle. This screws up idle scanning, but idle scanning should still work in principal — though you have to be a little trickier. Instead of waiting for a host to become idle, ping it regularly and establish a “heartbeat”. If the heartbeat is fairly stable you can perform what I’m calling semi-idle scanning. Instead of sending one spoofed packet, send a statistically significant burst. If the heartbeat increases sufficiently than you know the target host responded to the semi idle host and therefore the port was open.

Right now I’ve only significantly tested this with hping2, but I’m working on writing a wrapper around nmap’s idle_scan.c. Currently it seems to work, but I’m only thresholding the values rather than using statistics. Really, I should compute the average heartbeat and the standard deviation. Then send a burst and see if I exceed the deviation. In this case, the host doesn’t even really need to be semi-idle — traffic only needs to be statistically constant. However, this method is fairly slow so anything beyond “semi-idle” is REALLY slow.

Thoughts? Comments?

Source code to come shortly….

This year was my first time attending BlackHat. I’ve gone to Defcon several times before and I’ve generally enjoyed the experience. However, I was able to get BH expensed this year and went along.

Initially I was quite impressed. Caesar’s is FAR nicer than Alexis Park or the Riviera. Lunch was excellent and the talks were very comfortable. The parties were awesome and in general I can’t complain at all about the location/setup.

Unfortunately, the speakers just didn’t deliver. There was no exceptional work this year such as exploiting Cisco routers or 0-days for some major software. I can handle the lack of exceptional. If everything were exceptional than exceptional would just be ordinary. I had expected the types of talks I’d heard at Defcon in years past. The speakers are usually the same so shouldn’t the talks be about the same?

The answer is definitely ‘no’. The audience was mostly managers and other suits, so the talks tended to be not technical or product focused. I think the low point was Greg Hoglund’s talk. Greg is an exceptional person, he’s written several of the best books in the Offensive Security sphere. He was talking about exploiting MMORPGS (and you can’t get much cooler than that), but 95% of the talk was just a sales pitch for HBGary’s Inspector — which while I’m sure it’s a cool product but I can’t afford it and I don’t want to hear about it.

So in that room and to thunderous applause of the sales pitch, Hacking died at BH07.

For the first time, I’m really truly IRKED at the iPhone. I just got back from Vegas (BH/Defcon) and I applied the patch to my phone. Because I had hacked it up, it re-imaged the thing. I thought that was fine as a just synched it moments before. Unfortunately, it did NOT synch the “Photo Roll” all the pictures that I took on the iPhone. They’re ALL completely gone!