log inhelp

 | 

  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

BAIS(Born Again Idle Scan)

Page history last edited by PBworks 16 years, 7 months ago

 

Idle scan Alive and Kicking!!! (A Patch is provided at the bottom of this page)

 

references:

 

Idle scan is not a closed chapter. Microsoft Windows Based OS have not patched it yet. So all Microsoft Windows version, including the latest updates and service packs are vulnerable to this attack.

 

Most of the workstations i tested today were vulnerable to idlescan! i couldnt believe my eyes since we all were thinking IDLE scan was a closed chapter!!, so i tested it again and again. but still the same results.

 

I have decided to go public because i am not too certain about this; i want the community to come forward and research more on it. If it is true indeed; if it can be replicated again; i am sure its a huge problem. So i urge the community to educate everyone about the flaw; and give them practical workarounds(having the firewall/nat based on unaffected OSes) till patches are released by the vendor. Moreover every second the information is delayed; the chances are that attacker already knows it and gets every extra second to catch all of us unaware. Its a chance i am not allowing myself to take.

 

 

Its with great sadness i have to tell you all that there are still a lot of systems that are vulnerable to this bug in the tcp/ip stack implemented by the OS. As of today 16th september 2007, I came accross many vulnerable systems. Every implementation of windows based OS is inherently vulnerable. There are many systems used as zombies because of carelessness on the part of the vendor in patching it up. This issue reflects the sad sense of false security created and marketed by vendors today.

 

 

If you ever come accross any windows based operating system on your private intranet/ or any internet machines that you HAVE LEGAL PERMISSSION, and if you want to look if it is vulnerable, here is what i did. I expect the system administrators to look into this very very seriously and do something about it.

 

 

A STRONG REMINDER : DO NOT TRY THIS ON A RANDOM INTERNET ADDRESS, THAT YOU DO NOT HAVE EXPLICIT LEGAL PERMISSION FOR. IT IS ILLEGAL AND YOU CAN BE ARRESTED.

 

 

 

Open a tabbed terminal screen;

and in the 1st one say A, type the following command; feel free to customize your port and site address to fit your situation.

 

hping -S -p 80 www.vulnerablewindowsbasedsite.com

 

 

 

Keep the tab A running for a while; Do you notice any pattern in the "DF id" flag?? If you do then lets open the next tab; else you can assume this site is thankfully not vulnerable. Mind you, Observing the Pattern is not child's play; use your instincts and play with your creativity; try to remind yourself that there may be traffic in the site, and so ensure that the numbers you get are not "disturbed" by the site's traffic. If it is; then try using your skills to compensate for the noice and continue searching for pattern. Else come back to it later sometime..say at late night....

 

 

 

If the tab A returned some bad news, lets comfirm it by this next step;

 

Open the next tab say B, and type in the following command :

 

hping -S -p 80 -a www.vulnerablewindowsbasedsite.com www.notsomuchvulnerablesite.com

 

 

now....come back to the tab A and look for a change in "pattern"..mind you.. it wont necessarily be immediate..it will take atleast a few seconds....you may want to ctr^C the term B and then again look for a pattern change in A....and after many starts and restarts of term B... if you are anle to finally get a pattern between the working of term B and the output("DF id flag") at term A..then....the news is terrible indeed... alert the site's admin or any other concerned agency...before any catastrophy occurs....

 

And yeah...after seeing to it personally that the bug has been patched...you can have a good nights sleep..with a lighter soul and a warmth feeling of having secured the world....by 0.0000000000000000000000001 % ;)

 

Good Luck...

 

  

 

 

 

 

Patch :

 

//use the required winsock dll when u compile; Keep the program running and it will randomize your ipid




#include <winsock.h>
#include <stdlib.h>
#include <iostream>
#include <algorithm>
#include <strstream>
#include <string.h>
#include <time.h>
#include <stdio.h>



using namespace std;



int main()

{

    
    WSAData wsaData;
    WSAStartup(MAKEWORD(1, 1), &wsaData);
    
    srand ( time(NULL) );
  

   while(1)
    {      

                     

    u_long nRemoteAddress = inet_addr("127.0.0.1");
    in_addr Address;
    memcpy(&Address, &nRemoteAddress, sizeof(u_long));
       SOCKET sd = socket(AF_INET, SOCK_STREAM, 0);
       sockaddr_in sinRemote;
       sinRemote.sin_family = AF_INET;
       sinRemote.sin_addr.s_addr = nRemoteAddress;
       sinRemote.sin_port = htons(4242);
       connect(sd, (sockaddr*)&sinRemote, sizeof(sockaddr_in));

      
       for(int i=0; i < rand(); i++)
          send(sd, "", strlen(""), 0);
     

    shutdown(sd, SD_SEND);
    closesocket(sd);

       

    }

  
   WSACleanup();
    return 0;
}

 

 

Comments (0)

You don't have permission to comment on this page.

Printable version