Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: defpsd.txt

Defeating Portscan Detection




::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::             .ooO Defeating Portscan Detection by Wyzewun Ooo.            ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::                                                                          ::
:: There are a variety of tools available for detecting Portscans on Unix   ::
:: systems, the most popular of which are probably Port Sentry by Psionic   ::
:: <http://www.psionic.com/tools> and scanlogd by Solar Designer which can  ::
:: be found somewhere on ftp.technotronic.com/unix                          ::
::                                                                          ::
:: This article will focus on defeating these utilities, but you may very   ::
:: well benefit from being familiar with them yourself. If you haven't      ::
:: looked at scanlogd or port sentry then I suggest you read T0uchT0ne's    ::
:: article in Issue Eight of Keen Veracity.                                 ::
::                                                                          ::
:: Basically, detecting a portscan done by some-one with a brain is pretty  ::
:: hard unless you have a brain as well. ;) All portscan detection tools    ::
:: work on the same principle of just detecting SYN's FIN's or whatever,    ::
:: going to ports too fast. Look at this for example, from Solar Designer's ::
:: scanlogd 1.3 for Linux...                                                ::
::                                                                          ::
:: #define SCAN_COUNT_THRESHOLD            10                               ::
:: #define SCAN_DELAY_THRESHOLD            (CLK_TCK * 3)                    ::
::                                                                          ::
:: Most people won't modify this. Basically, it means that for the alarm to ::
:: be triggered, at least 10 ports must be scanned with no longer than      ::
:: SCAN_DELAY_THRESHOLD between each port.                                  ::
::                                                                          ::
:: So, we could abuse that time-out function quite easily if we were to     ::
:: modify our portscanner (I'll take my own Portscan.java as an example     ::
:: because it is very simplistic and easy for some-one with next to no      ::
:: knowledge of coding to understand ;P) to have just over that delay       ::
:: inbetween ports. (eg. we hack the code of ScanThread.java)               ::
::                                                                          ::
::    for (;;) {             // Endless loop                                ::
::      port=sync.take();    // Get Port Number to scan                     ::
::                                                                          ::
::    for (;;i++) {          // Endless loop + Increment instance variable  ::
::      if (i = 9) {         // If this is the 9th Port                     ::
::      sleep(10000);        // Wait 10 seconds                             ::
::      i = 0; }             // And reset instance variable                 ::
::      port=sync.take();    // Get Port Number to scan                     ::
::                                                                          ::
:: And so our scan doesn't show up. ;P Of course, because this is a lame    ::
:: TCP/Connect Portscanner it will show up in files like /var/log/secure    ::
:: but not in the actual scanlogd logs. Were we to modify a SYN, FIN, XMAS  ::
:: or NULL portscanner, this would completely evade detection. Also note    ::
:: that this will only work if you run my scanner with *one* thread. The    ::
:: default of 20 will fuck things up. Bigtime. ;)                           ::
::                                                                          ::
:: Port Sentry is quite nice (And quite evil) in that it not only logs the  ::
:: scan, but adds the portscanner to /etc/hosts.deny so they cannot connect ::
:: to any further ports. It allows you to make a file called hosts.ignore   ::
:: so that people cannot spoof a scan as your upstream router and thus      ::
:: block your connection. BUT, you're not going to put the whole damn       ::
:: internet into your hosts.ignore, right? That's why we have killsentry.c  ::
:: by Vortexia in this issue - To show that automatic firewalling is a      ::
:: really dumb idea. :)                                                     ::
::                                                                          ::
:: As a rule of thumb, the longer you wait, the safer you are. Got time?    ::
:: Put in a fucking 2 minute delay, screen it, and log out. Also, TCP       ::
:: portscanners like Portscan.java or any Winblows portscanner won't be     ::
:: useful against hosts that have been actively secured. Why? Well, they    ::
:: could make a script that adds all connecters to Port 1 to hosts.deny     ::
:: with a few alterations to their /etc/inetd.conf (Don't know how to do    ::
:: this? Read Vortexia's article in FK3) Also, please note that a system    ::
:: like this is more secure than Port Sentry or whatever because connect()  ::
:: portscans can't be spoofed. (Well, there are other ways to mask them,    ::
:: such as abusing WinNT's bad TCP/IP sequencing or at least spoofing DNS   ::
:: but those are completely different stories)                              ::
::                                                                          ::
:: So, finally, the conclusion. You *cannot* stop people from portscanning  ::
:: you. You can get in their way, block them, send them abuse mail, do      ::
:: whatever the hell you like. But you cannot stop them. So, my suggestion  ::
:: would be to not bother chasing after portscanners as actively, and       ::
:: spending your extra time making sure your system is secure to all those  ::
:: who actually managed to get their scans through. ;)                      ::
::                                                                          ::
::                               --=====--                                  ::
::                <walla_walla> whos elete?????????                         ::
::                <walla_walla> whos elete?????????                         ::
::                <walla_walla> whos elete?????????                         ::
::                         <M-|A> sowwy not me                              ::
::       <Pneuma> walla, no-one on this channel is called elete             ::
::       <Pneuma> we have an enoxier, thats probably the closest            ::
::         <Pneuma> but if there is, shame du0d, what a name                ::
::                            <M-|A> yeah                                   ::
::         <walla_walla> anyone a fairly good hacker here???                ::
::                               --=====--                                  ::
::                                                                          ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH