proposal of ports

Wed Sep 1 02:56:11 PDT 2004

Hi, my name is Luigi . I would like to show you two codes of mine : the first is a spoofed portscanner that uses Antirez ID bug (i.e. incremental ID field of certain TCP/IP stacks of some zombie machine)  to forge the source IP address (you can find a paper of this at  http://www.securitydate.it/SD2004/ -sorry, it's in Italian, but if you are interested I can translate it- ). Here is an example of this tool:

worklab# ./spoofscan -a www.kernel.org -s 62.211.32.82 -l 78 -h 82 -n 6 -t 300000
Stealth Scan by Luigi Pizzirani.
Warning!!! This is a stealth portscanner based on the requirements that the host we are using for our spoof has no traffic, has not random IP id and we have all firewalls down. Anyway, being this scanner stealth, it
is far from being 100% reliable. Enjoy it.
DISCLAIMER!!! IP SPOOFING, AS ANY KIND OF FORGEMENT IS AN ILLEGAL PRACTICE. USE THIS SCANNER ONLY FOR TESTING PURPOSES AND ON YOUR LOCAL AREA NETWORK. IN NO EVENT I CONSIDER MYSELF LIABLE FOR ANY ABUSE OF THIS PROGRAM.
Id sequence relative to 62.211.32.82: 564 565 566 567 568 569
It seems that host 62.211.32.82 has no traffic: excellent!!!
Id sequence relative to port 78 of host www.kernel.org via 62.211.32.82: 570 571 572 573 574 575 Hmmm...looks like 78 is closed.
Id sequence relative to port 79 of host www.kernel.org via 62.211.32.82: 576 577 579 581 583 585 Hmmm...looks like 79 is OPEN.
Id sequence relative to port 80 of host www.kernel.org via 62.211.32.82: 594 595 597 599 600 602 Hmmm...looks like 80 is OPEN.
Id sequence relative to port 81 of host www.kernel.org via 62.211.32.82: 612 613 614 615 616 617 Hmmm...looks like 81 is closed.
Id sequence relative to port 82 of host www.kernel.org via 62.211.32.82: 618 619 620 621 622 623 Hmmm...looks like 82 is closed.
Ports of www.kernel.org that look like open: 79(finger), 80(http).
worklab#

The second one is a tool that uses ARP poisoning that I presented at the MOCA (http://camp.olografix.org) to have a scenario like this: we have a LAN and we want offer connectivity to everyone coming here with his laptop for example. It could happen that our customer has his network parameters already configured to work correctly in his own LAN, but not working here. We can have then this scenario:

Customer's host (10.0.0.2/8 and default gateway set to 10.0.0.1)     Our LAN (192.168.0.0/24 with real gateway 192.168.0.254).

All that we want is that our customer plugs his laptop and join the internet without changing nothing of his network parameters.

Here comes this tool installed in my real gw(192.168.0.254)

It's a sort of sniffer, because it sniffs broadcast ARP requests for the gateway and answers that the gateway is itself

In our example our customer's laptop send this request: 
arp who-has 10.0.0.1 tell 10.0.0.2

Now our gateway does the following:

1) Sends back this reply to 10.0.0.2: 
arp reply 10.0.0.1 is-at his_mac_address

2)Create the alias 10.0.0.254 (ARP is not routable so we need one alias for each subnet that is not our one)

3)Sends itself an ARP reply to refresh his ARP cache  

It is different from proxy arp for two reasons: first it runs in user space, then in this case we can plug machines belonging to whatever subnet, while proxy arp is used in the case of only two different ones.

Hoping that this stuffs may be of our interest I am looking forward to have some answers and comments about this codes and the eventual inclusion of them in the ports collection.

Best regards

Luigi (sviat).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spoofscan.c
Type: application/octet-stream
Size: 14038 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20040901/52444c04/spoofscan.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sasp.c
Type: application/octet-stream
Size: 10943 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20040901/52444c04/sasp.obj