November 12th, 2003 10:43 PM
It's a lot like steath bombing really.....
If you can get away with your life..... why not?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
November 12th, 2003 10:44 PM
When you initiate a connection out, say to a web server (port 80), your client sets a port for the local side (usually > 1024). Older firewalls and less sophisticated firewalls, only looked at source and destination ports to keep track of the state of connections via ACL's. So if it saw a connection with a source port < 1024 (and that port was allowed in), it would assume it was a reply to an already established connection, and allow it to pass.
So what you could do to bypass the types of firewalls was set your source port to say 25 (smtp) and port scan through the firewall because the firewall would think that all of your packets were reply packets instead of connection requests. While this isn't the case any longer with firewalls, you can still slip into alot of networks masquerading as dns, smtp, http, etc because of poorly created ACL's...
Hmm...now that I am reading that I am not so sure I made much sense...
Let me know, I might have to try again...
As far as finding more sockets, if you can bypass the firewall...guess what?
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
November 12th, 2003 11:10 PM
What if you were just scanning for web servers(port 80), could you make it to where it is like any normal request to the server, or do the scanners sort of have a, how do I say this, defining characteristic that makes it not seem to be a normal request? I guess I already know the answer to that which is they do sort of set off an alarm on the other side, I guess my real question is can you make it like any other request so it looks like you just want the web page? I ask because sometimes I like to scan for web servers run from residential areas, like mine is, just to see what they are serving. I have a web server with no domain name so it can only be reached with my ip and DNS from my isp(i don't know if the part about DNS is right). Would any of you frown on a scan on port 80(besides you Tiger Shark, I'd probably end up dead if I accidentally scanned your IP)?
November 13th, 2003 12:08 AM
Restating what nebulus200 said:
The way TCP servers work is thus:
The server has a well-known port upon which is runs. So port 80, for example. When you connect to the server on port 80, it then establishes back a connection to you on another port. This back connection is on a port number above 1024. ASCII art:
Now, cool firewalls keep track of connections, so they know that the connection from the server to the client on port 2841 was a response to the connection from the client to the server on port 80. This is known as stateful inspection.
|<--- 80 ----|
|-- 1025+ -->|
Older firewalls were stupid. The typical way they were configured was to allow any traffic at all over any port with a number greater than 1024. Otherwise, you couldn't connect to servers outside the firewall. So if you try to connect from port 25 on your machine to a high port on the victim machine, the firewall just thinks that the victim machine is sending email.
Answering h3r3tic's question:
The problem with just sending a "GET / HTTP/1.0" to port 80 of every IP address is that the firewall/IDS knows that you're not supposed to be connecting to port 80 of most of those IPs. So your scan is going to ring a lot more bells than if you were doing syn attempts, which some firewalls/IDSs won't notice.