ISP Client Scanning
Results 1 to 5 of 5

Thread: ISP Client Scanning

  1. #1
    Member
    Join Date
    Jun 2005
    Posts
    55

    ISP Client Scanning

    Hi,

    On a recent thread about ARP, I put forward that the host only subnet mask 255.255.255.255 should prevent someone sniffing traffic on your subnet. I may be wrong and look forward to being corrected if this is not the case.

    However, this led me on to think. How do hackers detect home PCs which are using ISPs? I guess there were two levels to that thought? One was 1) Why are the ISPs allowing scanning traffic through and 2) how does the scan work?

    I played around a little bit with ping trying to see if it would pick up any other IP addresses by incrementing and decrementing the last 32 bits of my IP address. This did produce a curious response i.e. in some cases I got 'host unreachable' whereas in others I got a time out response.

    This made me think that possibly the host existed but either a personal firewall on the host or the ISP sent a time out packet as a standard response to unwanted pings. If this was the case, then everytime I got a time out, it would suggest that this might be a PC. A hacker would then potentially be able to map these PCs and possibly by scanning reasonably frequently get a delta over time picture of who was attached on a permanent basis to the network and who drops on and off.

    Clearly the former would be more interesting than the latter in terms of then trying to penetrate and trojanise to create a zombie net.

    A UDP scan might also be needed to confirm results (especially since some personal firewalls at least would respond more positively (or negatively???) to this kind of scan). A more intrusive attack would be to try and connect to these potential hosts using telnet especially to non standard ports (likely to light up the personal firewall like a christmas tree) or simply keep scanning until you find someone dumb enough not to have a personal firewall before doing anything.

    The question then becomes how can I prevent this kind of scanning activity or at least make the responses less meaningful. I would suggest that one way which would be available to someone using an open source firewall would be to re-program it to give a destination unreachable response to any unwanted pings or UDP based tracert activity. However, this doesn't help with pre-package commercial firewalls? Any suggestions on customisation of host/port stealthing?

    But I think ultimately we should be making ISPs responsible to prevent scanning activities by reporting them and requiring blackballing of any repeat offenders (SYNNERS REPENT!)

    What really puzzles me however is why having detected my client and presumably discovered that I have a pretty reasonable personal firewall (Norton Symantec plus a bit of customisation of my own) that repeated attempts are made to trojanise my PC (normally the Bla trojan). Is this just automation gone wild or is someone really that dumb?
    No one can foresee the consequences of being clever.

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    1) Why are the ISPs allowing scanning traffic through
    Becasue to stop the scanning they would need to close off every port. By doing that your connection will now be pointless since you wouldnt be able to do anything.

    2) how does the scan work?
    mosts scans are not done by just sending out a ping. The reason for this is becasue most attackers are looking to use a specific vulnerability if they are looking for a random host to attack, so they ping specific ports. you can set most port scanners to scan for port connectivity even if the host does not respond to a ping.

    or simply keep scanning until you find someone dumb enough not to have a personal firewall before doing anything.
    considering just about anyone scanning the open internet for random hosts is probably doesnt have a specific target in mind, chances are they are just looking for the easy hit, and this is exactly what they will do. And it would take a whole 30 seconds longer to find an unprotected host (and im being generous on that 30 second estimate)

    I put forward that the host only subnet mask 255.255.255.255 should prevent someone sniffing traffic on your subnet
    considering this is a massive broadcast address....then sniffing should be easier, not harder.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    Member
    Join Date
    Jun 2005
    Posts
    55
    Originally posted here by XTC46

    mosts scans are not done by just sending out a ping. The reason for this is becasue most attackers are looking to use a specific vulnerability if they are looking for a random host to attack, so they ping specific ports. you can set most port scanners to scan for port connectivity even if the host does not respond to a ping.
    Sorry, my bad. I was think not so much of port scanning but of the basic ennumeration of hosts which needs to take place prior to scanning for a specific port vulnerability. What I was really trying to establish was how these hosts are mapped.


    considering just about anyone scanning the open internet for random hosts is probably doesnt have a specific target in mind, chances are they are just looking for the easy hit, and this is exactly what they will do. And it would take a whole 30 seconds longer to find an unprotected host (and im being generous on that 30 second estimate)
    I would have thought that most people, even the most dedicated command liners, do this using automated processes. Real hackers write their own of course, but everyone else script kiddies - which I find odd, if the tool is available why bother to write your own unless you think you can make a genuine improvement. I don't see many re-writes of l0phtcrack for example. But then perhaps people are afraid of Mudge and Hobbit turning up on their doorstep and agressively eating all their twinkies



    considering this is a massive broadcast address....then sniffing should be easier, not harder.
    Now I am lost. If I am using an ISP through ADSL/PPP, I thought

    a) that sniffing along the connection would be restricted to physically tapping the phone line and

    b) that wireless detection and usage of the network (if present) would be prevented by using a host only subnet mask e.g.


    Host IP: 168.229.10.1
    Subnet Mask: 255.255.255.255
    Default Gateway: 168.229.10.1

    Even if you had more than one host on the LAN side and it happened to be wireless, the ADSL connection (Je pense) could not be sniffed but it might be possible to nick an IP address in the network range and/or spoof both the MAC and IP addresses on the LAN (this assumes the jackass setting up the wireless LAN knows nothing about wireless security) and go on from there to use the ADSL connection via the default gateway.

    Of course, all of this is preventable by

    a) limiting the number of hosts on the LAN using subnet masking
    b) putting in place good practice wireless security

    It would therefore be as far as I can tell impossible to sniff the main ISP to client connection (because sniffing requires access to the local network segment). It would still be possible to carry out a man in the middle attack but not through ARP poisoning but rather through, for example,

    DNS cache poisoning
    IP spoofing

    both used in conjunction with a spoofed web page.
    No one can foresee the consequences of being clever.

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    would have thought that most people, even the most dedicated command liners, do this using automated processes. Real hackers write their own of course, but everyone else script kiddies - which I find odd, if the tool is available why bother to write your own unless you think you can make a genuine improvement. I don't see many re-writes of l0phtcrack for example. But then perhaps people are afraid of Mudge and Hobbit turning up on their doorstep and agressively eating all their twinkies
    what I was getting at is about 90 percent of people who are just picking a target at random the way you are talking about is probably some loser. Most real "hackers" are looking for something specific, not just an open box on the net. If they are just looking for an open box then they are looking to use a certain exploit so they will just scan for oepn ports since they really dont care what they are attacking they will pick the easiest.


    Host IP: 168.229.10.1
    Subnet Mask: 255.255.255.255
    Default Gateway: 168.229.10.1
    go ahead and try using these settings...it wont work

    the subnetmask 255.255.255.255 hits every host in every subnet (if allowed to pass through the routers/firewalls correctly) Sniffing is done by intercepting data and then passing it on, anytime you broadcast its much easier to grab. Windows wont even allow you to enter that subnet, and a NIX box probably just wont work when its put in there.

    Sorry, my bad. I was think not so much of port scanning but of the basic ennumeration of hosts which needs to take place prior to scanning for a specific port vulnerability. What I was really trying to establish was how these hosts are mapped
    people dont try and map out the internet like that, its too big and a waste of time and resources. If an attacker is mapping out something chances are its going to be a corporate network, and then they still wont use just a standard ping. especially now that by default windows XP sp2 drops the pings it rather pointless. scanning for a port causes more noise but is much more effective, and if you scan over a long period of time (a few days for a few hosts on the network) you can be successful with little risk) port scanning itself is not illegal in the US so if you are just looking for an open host on the net then the only reason you would just blast out pings would be to find that unprotected box.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  5. #5
    Member
    Join Date
    Jun 2005
    Posts
    55
    The implication is then that the hacker sets up a script up to scan a range of hosts on a particular port which is likely to be open (one of the common ones that normally has to be open e.g. 53, 80, ? 443 ? 1743 or ports with known current vulnerabilities) etc and look for a response coming back. This serves to identify vulnerable hosts and allows for a more instaneous upload of the exploit which can be immediately uploaded and presumably all of this is done automatically. The hacker meantime is getting a Swedish manicure and will come back and pick up the results later.
    No one can foresee the consequences of being clever.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •