1
00:00:01,650 --> 00:00:08,040
In the case of a connection let's UDP protocol which we do not expect to respond scanning is marginally

2
00:00:08,040 --> 00:00:15,000
more complicated because this is a connection less protocol that doesn't respond a connection attempt

3
00:00:15,000 --> 00:00:22,150
to close the port will fail and will be presented with an error message in such a case you can exploit

4
00:00:22,170 --> 00:00:29,370
the fact that as the RNC documents States the computer should respond with an ICMP port unreachable

5
00:00:29,370 --> 00:00:30,190
message.

6
00:00:37,750 --> 00:00:42,210
Scanning itself has one basic flaw.

7
00:00:42,340 --> 00:00:46,650
It sends back the information about the scanner.

8
00:00:46,700 --> 00:00:50,650
It may seem that you can't connect to the target host while remaining unnoticed.

9
00:00:52,970 --> 00:00:57,030
However there are ways to remain anonymous.

10
00:00:57,070 --> 00:01:02,090
One of them is using multiple fake IP addresses to hide the attackers identity.

11
00:01:02,200 --> 00:01:03,520
But we won't cover this here

12
00:01:09,340 --> 00:01:18,620
another method is called the idle scan it exploits the fact that in accordance with RSU standards a

13
00:01:18,620 --> 00:01:26,590
computer that receives an unexpected TCAP session packet should respond with r s t.

14
00:01:26,700 --> 00:01:30,920
The only exception is when it receives an R S T packet which should be ignored.

15
00:01:31,930 --> 00:01:36,700
Otherwise the internet would be crammed with millions of R-S.C. packets being sent back and forth in

16
00:01:36,700 --> 00:01:37,950
an infinite loop.

17
00:01:40,680 --> 00:01:45,680
We can take advantage of this fact and use any computer that is connected to the World Wide Web.

18
00:01:46,550 --> 00:01:52,940
Even if we don't have physical access to it to scan another computer this is the idea behind the idle

19
00:01:52,940 --> 00:01:55,210
scan.

20
00:01:55,260 --> 00:02:02,870
Please look at the diagram in the slide this shows the mechanism of the attack we find a computer that

21
00:02:02,870 --> 00:02:07,680
will make an appropriate zombie machine we send a packet to it.

22
00:02:08,620 --> 00:02:16,030
We record the IP ID and identification field used for identifying fragments of an original IP datagram

23
00:02:18,460 --> 00:02:26,410
we only need to remember the number some implementations of operating system still in use today generate

24
00:02:26,410 --> 00:02:34,330
an IP ID number in an incremental and predictable way every further packet will have a higher IP ID

25
00:02:34,330 --> 00:02:41,270
number knowing that we can send the scanning packet to the target machine.

26
00:02:42,130 --> 00:02:47,780
When we use the address of the zombie instead of our own the target computer will send the response

27
00:02:47,780 --> 00:02:50,270
to the zombie in case the port is open.

28
00:02:51,130 --> 00:02:54,840
Otherwise the response will not be sent at all.

29
00:02:54,930 --> 00:02:58,940
The zombie will react correspondingly to the packet it receives.

30
00:02:59,160 --> 00:03:03,890
It will either send or not send the Aristid to the target.

31
00:03:03,940 --> 00:03:10,230
Then we probe for an IP ID again and we compare it to the number we got before.

32
00:03:10,260 --> 00:03:17,060
If the number has increased by 1 It means that the zombie has sent the arist packet.

33
00:03:17,210 --> 00:03:21,350
We learned that the port on the target machine was open without directly connecting to it.

34
00:03:23,130 --> 00:03:25,440
In a moment we will try to make a demonstration.