[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pen-test
Subject:    Re: Port Scanning.
From:       robert () dyadsecurity ! com
Date:       2004-12-22 20:47:12
Message-ID: 20041222204712.GA12782 () 5002 ! rapturesecurity ! org
[Download RAW message or body]

robert@dyadsecurity.com(robert@dyadsecurity.com)@Wed, Dec 22, 2004 at
> The only thing that isn't currently easy to do is TCP full connection
> payload injection from spoofed IP's.  We're working on a way to do
> that though :).

I know it's bad form to follow up on your own post...  What I was
talking about in the last email was a way to actually introduce the TCP
3-way handshake (connection) payload stimulous to the remote IP from a
spoofed source.  This is currently difficult on modern stacks.

However, many IPS/IDS's don't keep track of state, and you can actually
get the PSH/ACK TCP payload to trigger many IPS's from spoofed sources
now. By skipping the 3-way-handshake, the remote IP will obviously not
treat it as part of an established connection, but if IPS trigger DoS
was your goal, who cares.

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@dyadsecurity.com
M - (949) 394-2033
[prev in list] [next in list] [prev in thread] [next in thread]