proposal of ports

Luigi Pizzirani l.pizzira at virgilio.it
Mon Aug 30 06:27:59 PDT 2004 

Hello, my name is Luigi and I am writing to you, because I would like
you to take a look at two codes of mine. The first is a portscan spoofed
that uses id bug discovered by Antirez to spoof our machine. This is an
example of its use: 
worklab# ./spoofscan -a www.kernel.org -s
62.211.32.82 -l 78 -h 82 -n 6 -t 300000 Stealth Scan by Luigi Pizzirani.
Warning!!! This is a stealth portscanner based on the requirements that
the host we are using for our spoof has no traffic, has not random IP id
and we have all firewalls down. Anyway, being this scanner stealth, it
is far from being 100% reliable. Enjoy it. DISCLAIMER!!! IP SPOOFING, AS
ANY KIND OF FORGEMENT IS AN ILLEGAL PRACTICE. USE THIS SCANNER ONLY FOR
TESTING PURPOSES AND ON YOUR LOCAL AREANETWORK. IN NO EVENT I CONSIDER
MYSELF LIABLE FOR ANY ABUSE OF THIS PROGRAM. Id sequence relative to
62.211.32.82: 564 565 566 567 568 569 It seems that host 62.211.32.82
has no traffic: excellent!!! Id sequence relative to port 78 of host
www.kernel.org via 62.211.32.82: 570 571 572 573 574 575 Hmmm...looks
like 78 is closed. Id sequence relative to port 79 of host
www.kernel.org via 62.211.32.82: 576 577 579 581 583 585 Hmmm...looks
like 79 is OPEN. Id sequence relative to port 80 of host www.kernel.org
via 62.211.32.82: 594 595 597 599 600 602 Hmmm...looks like 80 is OPEN.
Id sequence relative to port 81 of host www.kernel.org via 62.211.32.82:
612 613 614 615 616 617 Hmmm...looks like 81 is closed. Id sequence
relative to port 82 of host www.kernel.org via 62.211.32.82: 618 619 620
621 622 623 Hmmm...looks like 82 is closed. Ports of www.kernel.org that
look like open: 79(finger), 80(http). worklab#

You can find a paper of it at http://www.securitydate.it/SD2004/ (sorry
in Italian :-( , but if you are interested I will translate it)

The second code is a sort of sniffer that that catches incoming ARP
requests for a gateway and answers that the gateway is itself, so if for
example we have a lan with one machine having IP 10.0.0.2 and default
gateway 10.0.0.4, another with 1.2.3.4/1.2.3.6, and the real gw is
192.168.0.254 this tool(installed on the gateway 192.168.0.254) sniffs
for example the arp request: "ARP who-has 1.2.3.6 tell 1.2.3.4" and
replies to 1.2.3.4 with "ARP reply: 1.2.3.6 is-at my_mac_address" (a
sort of ARP poisoning), then it creates the alias 1.2.3.254(ARP is not
routable) and updates its own ARP cache with the couple
1.2.3.4/his_mac_address sending itself a ARP reply. This tool can be
useful for example if a hotel wants to offer connectivity to customers
coming with their laptop and not having DHCP configured, but their own
IP address instead and they don't know/want to change  their LAN
parameters. With it they simply plug and go. It could be misunderstood
with proxy ARP, but there are two fundamental differences: this one runs
in uspace and unlikely proxy ARP that works only with two subnets, this
one works with every one. 

I would be very happy if you take a look at these two codes and tell me
your opinion and what do you think about eventually making the ports of
them.

Looking forward to have a reply my best regards.

Luigi.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: spoofscan.c
Type: application/octet-stream
Size: 14038 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20040830/672e62b8/spoofscan.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sasp.c
Type: application/octet-stream
Size: 10943 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20040830/672e62b8/sasp.obj

More information about the freebsd-ports mailing list