'Blind scanning using Broadcast ARP'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nmap-dev
Subject:    Blind scanning using Broadcast ARP
From:       "Josiah Zayner" <Josiah.Zayner () informony ! com>
Date:       2003-08-09 14:51:42
[Download RAW message or body]

 don't know if you guys have ever heard or thought of this
but it just came to mind maybe it could be implemented in
NMAP? Any questions just email me.

--------------
Blind Scanning using ARP                         By Case
(phric@legions.org)


     Broadcast ARP scanning is based of the concept that
when a packet is sent from host A to nonexistent host B,
host B - 1 hop will send an arp broadcast in an effort to
locate the location of host B. Voila commence BARP scans. So
we should now understand the basic concept and be able to
exploit this feature to perform blind port scans or ping
scans.

What we need
A nonexistent host on our subnet - Host None
A target host - Host Target
Us - Host Us

First we find a host on our subnet that does not exist, Host
None. Now we forge a FIN packet from host none, to our
target host.And we wait and listen for arp broadcasts.

-Host Us  sends  TCP FIN or NULL, Forged IP SRC of Host
None --->  Host target
-Host Target   sends  TCP RST ---> Host in Route, 1 hop
before Host None
-Host in Route, 1 hop before Host None  sends  ARP
Broadcast ---> Now if we receive a broadcast looking for the
hardware address of Host None we know that the target host
must have sent a packet back. Since FIN packets only return
RSTs when the ports are closed we have found a closed port.
Now if on the next packet sent no arp broadcast is snooped
we know that the port is most likely open. The problem is
the scan can be narrowed down to your subnet, the benefit is
that is can be one of a number computers.
example using tcpdump and IP Sorcery THANKS GUYS!.

-Send packet to ssh returns nothing we can assume it is open
192.168.0.7.1993 > legions.org.ssh: F [tcp sum ok]
524637819:524637819(0) win 1346 (ttl 64, id 53339, len 40)

-Send packet to Telnet it returns a RST we know by the ARP
from the router
192.168.0.7.1993 > legions.org.telnet: F [tcp sum ok]
480732068:480732068(0) win 2957 (ttl 64, id 53332, len 40)

arp who-has 192.168.0.7 tell 192.168.0.1


Now we NMAP to verify our results

# nmap (V. 2.54BETA34) scan initiated Sun Jul 27 09:57:24
2003 as: nmap -sT -p22,23 www.legions.org
Interesting ports on mail.legions.org (66.12.11.166):
(The 1 port scanned but not shown below is in state: closed)
Port       State       Service
22/tcp     open        ssh

Remember though windows computers have features so this
doesn't work.example code
http://www.legions.org/~phric/arpscan.c
I'm a chunky monkey from funkytown...
Any question or comments email phric@legions.org.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic