[Dshield] Hiding IP's

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Mon Aug 22 18:37:18 GMT 2005


On Mon, 22 Aug 2005 10:29:07 +0530, Chandan said:
> Go for NMAP for HIDING the your IP. You can get the details
> http://www. insecure.org.

Please note that nmap's stealth mode is only useful for a *very*
limited set of things:

       -sI <zombie host[:probeport]>
              Idlescan: This advanced scan method allows for a truly blind TCP  port  scan
              of  the  target (meaning no packets are sent to the target from your real IP
              address).  Instead, a unique side-channel attack  exploits  predictable  "IP
              fragmentation  ID"  sequence generation on the zombie host to glean informa-
              tion about the open ports on the target.  IDS systems will display the  scan
              as  coming  from  the  zombie machine you specify (which must be up and meet
              certain criteria).  I wrote  an  informal  paper  about  this  technique  at
              http://www.insecure.org/nmap/idlescan.html .

              Besides  being extraordinarily stealthy (due to its blind nature), this scan
              type permits mapping out IP-based trust relationships between machines.  The
              port  listing  shows open ports from the perspective of the zombie host.  So
              you can try scanning a target using various zombies that you think might  be
              trusted  (via router/packet filter rules).  Obviously this is crucial infor-
              mation when prioritizing attack targets.  Otherwise, you penetration testers
              might have to expend considerable resources "owning" an intermediate system,
              only to find out that its IP isn't even trusted by the  target  host/network
              you are ultimately after.

              You can add a colon followed by a port number if you wish to probe a partic-
              ular port on the zombie host for IPID changes.  Otherwise Nmap will use  the
              port it uses by default for "tcp pings".

Of course, you need a suitable 3rd machine to bounce packets against..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050822/04bbd6e4/attachment.bin


More information about the list mailing list