Hello, I was working on a new implementation of the IPID scann (also known has idle scan in the nmap man page or pixie-scan as i call it) During my test I think I discover a new way to use this type of scan : Synopsis ------------- Using the gateway of a masquerade network as a witness (relay host) for the Pixie-scan, allow remote scanning of the private network. Details ----------- On some stack implementation the IP ID field is incremental so by sending a spoofed SYN packet to the gatway from a private network box and by comparing after the IP ID value you could remotely know witch service are open on this intranet computer even if this one is masquerade. Of course the pixie-scan is a well known technique but this is this utilisation that is new. For more detail about the pixie-scan i have written a paper witch will be available around tomorow evening at the following url : http://www.bursztein.net/secu/pixie.html Affected version ----------------------- I have tested the pixie-scan against with success : - Win 2K service pack - 3com Netbuilder unsuccessfull attempt : - Linux 2.4.x sincerly, Elie aka "Lupin" Bursztein ___________________________ icq : 32228319 mail : secu@bursztein.net web : www.bursztein.net/secu ___________________________ "He feel safe and at this very moment, i was lost... "
