[Dshield] Hiding IP's
Valdis.Kletnieks at vt.edu
Mon Aug 22 18:37:18 GMT 2005
On Mon, 22 Aug 2005 10:29:07 +0530, Chandan said:
> Go for NMAP for HIDING the your IP. You can get the details
> http://www. insecure.org.
Please note that nmap's stealth mode is only useful for a *very*
limited set of things:
-sI <zombie host[:probeport]>
Idlescan: This advanced scan method allows for a truly blind TCP port scan
of the target (meaning no packets are sent to the target from your real IP
address). Instead, a unique side-channel attack exploits predictable "IP
fragmentation ID" sequence generation on the zombie host to glean informa-
tion about the open ports on the target. IDS systems will display the scan
as coming from the zombie machine you specify (which must be up and meet
certain criteria). I wrote an informal paper about this technique at
Besides being extraordinarily stealthy (due to its blind nature), this scan
type permits mapping out IP-based trust relationships between machines. The
port listing shows open ports from the perspective of the zombie host. So
you can try scanning a target using various zombies that you think might be
trusted (via router/packet filter rules). Obviously this is crucial infor-
mation when prioritizing attack targets. Otherwise, you penetration testers
might have to expend considerable resources "owning" an intermediate system,
only to find out that its IP isn't even trusted by the target host/network
you are ultimately after.
You can add a colon followed by a port number if you wish to probe a partic-
ular port on the zombie host for IPID changes. Otherwise Nmap will use the
port it uses by default for "tcp pings".
Of course, you need a suitable 3rd machine to bounce packets against..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050822/04bbd6e4/attachment.bin
More information about the list