HSC
Network Security Consulting Agency Since 1989 - Specialized in Unix, Windows, TCP/IP and Internet
Text mode: access to the page content
Hervé Schauer Consultants
You are here: Home > Resources > Tips > antimap
Go to: HSC Trainings
Télécharger le catalogue des formations
Search:  
Version française
   Services   
o Skills & Expertise
o Consulting
o ISO 27001 services
o Audit & Assessment
o Penetration tests
o Vunerability assessment (TSAR)
o Forensics
o ARJEL
o Training courses
o E-learning
   Conferences   
o Agenda
o Past events
o Tutorials
   Resources   
o Thematic index
o Tips
o Lectures
o Courses
o Articles
o Tools (download)
o Vulnerability watch
   Company   
o Hervé Schauer
o Team
o Job opportunities
o Credentials
o History
o Partnerships
o Associations
   Press and
 communication
 
 
o HSC Newsletter
o Bulletin juridique HSC
o Press review
o Press releases
o Publications
   Contacts   
o How to reach us
o Specific inquiries
o Directions to our office
o Hotels near our office
|>|antimap  

by Stéphane Aubert (20/11/2001)



Antimap v0.1
Stephane.Aubert@hsc-labs.com



-=[ Préambule ]=---------------------------------------------------------------

Antimap est un des jouets que j'écris pour me divertir, ce jouet n'est pas 
destiné à améliorer la sécurité d'un site en  production.

Certains servent aux tests d'intrusions d'HSC alors que d'autres, comme antimap,
peuvent servir à rendre fou les pirates en herbe qui viennent de recevoir leur
modem ADSL.



-=[ Principe d'Antimap ]=------------------------------------------------------

Antimap permet d'envoyer automatiquement des paquets SYN|ACK lorsque la machine 
"surveillée" reçoit des paquets SYN (demande de connexion TCP).

Antimap doit être configuré pour ne pas pertuber le trafic réseau autorisé. 
Si la machine est accessible via SSH, SMTP et HTTP il faut certainement 
configurer antimap avec la ligne suivante :

  my @allowed = ( '22', '25', '80' ); #don't react on these ports

Antimap peut adopter différents comportements lorqu'il reçoit des paquets SYN,
il peut répondre à tous les paquets ou ne répondre que dans X % des cas. Il est
aussi possible de ne répondre que pour des ports TCP répendus.

Antimap ne fonctionne que contre les scanner de ports de type SYN-scan 
(ie. nmap -sS) et ne fonctionne pas contre les outils genre strobe, slscan ou 
nmap -sT.

Remarque amusante : dans l'exemple ci-dessous antimap fait échouer la détection
d'OS de nmap car ce dernier utilise le premier port considéré comme ouvert pour
faire ses tests.



-=[ Scan d'une machine ne faisant pas focntionner Antimap ]=-------------------

root@groar:~# nmap -sS -O -v -n --osscan_guess xor

Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
Host  (62.4.21.60) appears to be up ... good.
Initiating SYN Stealth Scan against  (62.4.21.60)
Adding open port 22/tcp
Adding open port 6000/tcp
Adding open port 25/tcp
Adding open port 80/tcp
The SYN Stealth Scan took 18 seconds to scan 1548 ports.
For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled
Interesting ports on  (62.4.21.60):
(The 1544 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
25/tcp     open        smtp                    
80/tcp     open        http                    
6000/tcp   open        X11                     

Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
Uptime 2.993 days (since Tue Nov  6 12:05:52 2001)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=1558848 (Good luck!)
IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 19 seconds



-=[ Exécution de Antimap ]=----------------------------------------------------

# -= antimap 0.1 - sa/hsc =-
  .started on eth0 for 62.4.21.60



-=[ Scan de la même machine mais avec Antimap de lancé ]=----------------------

root@groar:~# nmap -sS -O -v -n --osscan_guess xor

Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
Host  (62.4.21.60) appears to be up ... good.
Initiating SYN Stealth Scan against  (62.4.21.60)
Adding open port 1524/tcp
Adding open port 119/tcp
Adding open port 11/tcp
Adding open port 37/tcp
Adding open port 22/tcp
Adding open port 25/tcp
Adding open port 2049/tcp
Adding open port 1352/tcp
Adding open port 514/tcp
Adding open port 6000/tcp
Adding open port 8080/tcp
Adding open port 80/tcp
Adding open port 81/tcp
Adding open port 540/tcp
The SYN Stealth Scan took 14 seconds to scan 1548 ports.
For OSScan assuming that port 11 is open and port 1 is closed and neither are firewalled
WARNING:  RST from port 11 -- is this port really open?
WARNING:  RST from port 11 -- is this port really open?
WARNING:  RST from port 11 -- is this port really open?
WARNING:  RST from port 11 -- is this port really open?
WARNING:  RST from port 11 -- is this port really open?
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
For OSScan assuming that port 11 is open and port 1 is closed and neither are firewalled
WARNING:  RST from port 11 -- is this port really open?
WARNING:  RST from port 11 -- is this port really open?
WARNING:  RST from port 11 -- is this port really open?
WARNING:  RST from port 11 -- is this port really open?
WARNING:  RST from port 11 -- is this port really open?
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
For OSScan assuming that port 11 is open and port 1 is closed and neither are firewalled
WARNING:  RST from port 11 -- is this port really open?
Insufficient responses for TCP sequencing (1), OS detection may be less accurate
Interesting ports on  (62.4.21.60):
(The 1534 ports scanned but not shown below are in state: closed)
Port       State       Service
11/tcp     open        systat                  
22/tcp     open        ssh                     
25/tcp     open        smtp                    
37/tcp     open        time                    
80/tcp     open        http                    
81/tcp     open        hosts2-ns               
119/tcp    open        nntp                    
514/tcp    open        shell                   
540/tcp    open        uucp                    
1352/tcp   open        lotusnotes              
1524/tcp   open        ingreslock              
2049/tcp   open        nfs                     
6000/tcp   open        X11                     
8080/tcp   open        http-proxy              

Aggressive OS guesses: HP-UX 11.00 (90%), HP-UX B11.00 U 9000/839 (89%), Foundry BigIron running 'SW' 07.0.05T53 (B2R07005) (86%)
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=2.54BETA29%P=i686-pc-linux-gnu%D=11/9%Time=3BEBB693%O=11%C=1)
T1(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=0%ACK=O%Flags=AR%Ops=)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=N)

Nmap run completed -- 1 IP address (1 host up) scanned in 25 seconds



-=[ Antimap ]=-----------------------------------------------------------------

#!/usr/bin/perl
#
# antimap v0.1 : anti-tcp-syn-scanner
# Copyright (C) 2001 Stephane Aubert aka Kotao
#
# Stephane Aubert <Stephane.Aubert@hsc-labs.com>
# HSC security research labs
# Hervé Schauer Consultants
#
# kotao <kotao@kotao.org>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# antimap should not be used as a lucrative tools without author
# autorization.

use IO::Socket;
use Net::RawIP;
$b = new Net::RawIP;
$a = new Net::RawIP;
$c = new Net::RawIP ({icmp =>{}});

my @allowed = ( '80', '25', '6000' ); #don't react on these ports
$fake = ":7:9:11:20:21:22:23:25:26:37:42:43:53:67:69:70:80:81:110:111:113:119".
        ":123:137:138:139:143:161:162:256:257:258:512:514:515:520:540:666".
        ":1352:1521:1524:2049:3128:6000:6001:8080:8081:12345:";
my $VERSION=0.1;
my $dev = Net::RawIP::lookupdev($tout);
my $localip = ${ifaddrlist()}{$dev};
my $protected = shift || "$localip";

my $filter = "proto \\tcp and dst host $protected and tcp[13] & 2 != 0";
map {$filter.=" and not port $_"} @allowed;

print "-= antimap $VERSION - sa/hsc =-\n";
print "  .started on $dev for $protected\n";
$pcap=$a->pcapinit($dev,$filter,1500,30);
srand(time^$$);
loop $pcap,-1,\&fool,\@a;

### functions ############################################################
sub fool {
  $a->bset(substr($_[2],14));
  my ($vers,$ihl,$tos,$tot,$id,$frg,$ttl,$pro,$chc,$saddr,
      $daddr,$sport,$dport,$seq,$aseq,$dof,$res1,$res2,$urg,
      $ack,$psh,$rst,$syn,$fin,$win,$chk,$data) =
      $a->get({
        ip=>['version','ihl','tos','tot_len','id','frag_off',
             'ttl','protocol','check','saddr','daddr'],
        tcp=>[ 'source','dest','seq','ack_seq','doff','res1',
               'res2','urg','ack','psh','rst','syn','fin',
               'window','check','data']});
  #return if(rand(100) > 30);            #uncomment this line if necessary 
  #return unless($fake=~/:\Q$dport\E:/); #uncomment this line if necessary 
  $b->set({ ip =>{ saddr=>$daddr, daddr=>$saddr },
            tcp => { dest => $sport, source => $dport,
             syn => '1', ack => '1',
             seq => 0x828b+rand(0xffff), ack_seq => $seq+1, 
             window => 0, data=>"\x6b\x6f\x74\x61\x6f"}
          }); 
  $b->send();
};

-=[ EOTip ]=-------------------------------------------------------------------
$Id: antimap.tip,v 1.7 2001/11/21 09:15:05 aubert Exp $



Last modified on 12 November 2003 at 13:55:00 CET - webmaster@hsc.fr
Mentions légales - Information on this server - © 1989-2013 Hervé Schauer Consultants