Out of all the texts/books tat I've read, not one of them has talked about how attackers maintain their anonymity before compromising the system. They all talk about the different audit trails/logs that should be removed or alters, but not how they keep themselves from being identified in the early enumeration stages.
There's always a lot of talk about proxies, but I figured proxies were typically mediums for HTTP communication. If that's the case, then how does one, say, mask an Nmap scan, a dig, or even a banner grab on port 25? The first thing that comes to mind are Socks. From what I've read, Socks is complete encapsulation of TCP/IP communication. How does one interface a Nmap scan to use the socks or multiple socks as a buffer? Not to mention that it could sometimes take more work just finding open proxies/socks that aren't being used by 100 other people, and even then their integrity as anonymous can't be guaranteed.
So what's left? Is Tor capable or even suggested for these types of interactions (froma technical, not ethical standpoint)? Or is it easier for the attacker to use some type of homemade or open-source port redirection software, assuming it can encapsulate all traffic. But again I don't see how it interfaces will all the components used for enumeration or compromise. I know nmap has the -D option for decoy hosts, but I wonder how reliable it really is.
Am I thinking too much into it? lol.
Thanks in advance.
skydance
Jul 4 2005, 05:39 PM
well nmap has another nice feature called idlescanning, check it out: hxxp://www.insecure.org/nmap/idlescan.html
NavyIT
Jul 4 2005, 08:15 PM
QUOTE(skydance @ Jul 4 2005, 12:39 PM)
well nmap has another nice feature called idlescanning, check it out: hxxp://www.insecure.org/nmap/idlescan.html
Thanks skydance. I tried that out, and it seems pretty efficient. Question. While the target server itself won't see the source of the scan, the "zombie" will, right?
PuNkErX
Jul 5 2005, 12:07 AM
How do you find the zombies? is there a way to scan or anything like that/
NavyIT
Jul 5 2005, 12:52 AM
QUOTE(PuNkErX @ Jul 4 2005, 07:07 PM)
How do you find the zombies? is there a way to scan or anything like that/
According to the article, the -sI option with the zombie host and target will attempt to scan using the first host as a zombie. It will tell you whether it's possible to use as a zombie or not. It also says that Windows boxes, Old Linux hosts, etcs were vulnerable. It took a handful of sites, but I eventually found one that worked.
# The option below identifies how the ProxyList is treated. # only one option should be uncommented at time, # otherwise the last appearing option will be accepted # # Dynamic - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # at least one proxy must be online to play in chain # (dead proxies are skipped) # otherwise ECONNREFUSED is returned to the app # # Strict - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # all proxies must be online to play in chain # otherwise ECONNREFUSED is returned to the app # # Random - Each connection will be done via single random proxy from the list # this option is good for scans
#DynamicChain #StrictChain RandomChain
#Some timeouts in milliseconds # tcp_read_time_out 15000 tcp_connect_time_out 10000
[ProxyList] # ProxyList format # type host port [user pass] # (values separated by 'Tab') # # # Examples: # # socks5 192.168.67.78 1080 lammer secret # http 192.168.89.3 8080 justu hidden # socks4 192.168.1.49 1080 # http 192.168.39.93 8080 # # # proxy types: http, socks4, socks5 # ( auth types supported: "basic"-http "user/pass"-socks ) # # the list below may be out of date, they all are public proxies #http 192.115.8.xxx 80 #http 199.106.xxx.3 80 #http 195.8.0.xxx 80 #http 203.xxx.0.13 80
Thats how i do it, use proxychains.... Sorry didnt put in a great answer, but the above examples are probably what your looking for...
NavyIT
Jul 5 2005, 02:37 AM
So, you can use proxychains with ANY type of connection over TCP/IP? If that's the case, can anyone suggest a lightweight "tiny" socks proxy that can be use in conjunction with this, instead of relying on public proxies?
Edit: Actually I found 3proxy (http://www.security.nnov.ru/soft/3proxy/) and tinyproxy (http://tinyproxy.sourceforge.net/). Both open source, so I'm sure mechanisms like encryption/stealth could be implemented.
skydance
Jul 5 2005, 05:16 PM
NavyIT: right, the zombie can see you.... about using socks thats ok as long as you controll the servers running socks and you make sure all logs and traces are erased.... using public proxies could be hazardous.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
