1 files changed, 47 insertions, 0 deletions
diff --git a/informationals/teso-i0016.txt b/informationals/teso-i0016.txt
new file mode 100644
index 0000000..d233b81
--- /dev/null
+++ b/informationals/teso-i0016.txt
@@ -0,0 +1,47 @@
+0016 2000/02/23  Trick to hide UDP ports, trick to discover this
+==== TESO Informational =======================================================
+This piece of information is to be kept confidential.
+===============================================================================
+Description ..........: Trick to hide UDP ports, trick to discover this
+Date .................: 2000/02/23 18:00
+Author ...............: scut
+Publicity level ......: unknown
+Affected .............: UDP/IP stack
+Type of entity .......: implementation
+Type of discovery ....: useful information
+Severity/Importance ..: low
+Found by .............: scut
+Information ===================================================================
+Many hacking tools operate as an UDP daemon, which listens on a UDP port for
+messages. Usually this open UDP ports are easily discovered through a simple
+UDP port scan. However, most hackers try to avoid detection by using a high
+port number which won't be scanned usually.
+  There is a better method of hiding UDP ports, by copying the behaviour of a
+closed UDP port: Just send a ICMP Port Unreachable packet each time a packet
+is received on the port. To do this you have to call an ICMP send routine
+directly after you have received an UDP packet. This ICMP send routine has to
+craft a Unreachable packet similar to the one the system would create and send
+it back to the source IP of the received UDP packet.
+While this looks very stealthy it has a really cool flaw which is easy to
+oversee. Every IP packet, hence the ICMP packet too has to have an IP ID,
+which is linear on most systems. If you just fill in a random one in the ICMP
+packet you generate, your port can still be detected. To do this one will
+sequentially scan all UDP ports and collect all received ICMP unreachable
+packets. Then your artificial ICMP packets will be those which don't match
+into the mostly linear IP ID's of the other ICMP packets.
+To avoid detection completely on a system whose kernel generates linear IP ID's
+you have to aquire the current IP ID before sending a bogus ICMP packet. This
+can be discovered remotely too, if you get the ID by sending a packet to a UDP
+port yourself and watch the IP ID in the ICMP unreachable packet send back to
+you: An IP ID increment value of two instead of one will be observed. To do
+this right a direct access to the current IP ID is required.
+===============================================================================

diff --git a/informationals/teso-i0016.txt b/informationals/teso-i0016.txt new file mode 100644 index 0000000..d233b81 --- /dev/null +++ b/informationals/teso-i0016.txt
@@ -0,0 +1,47 @@
	1	0016 2000/02/23 Trick to hide UDP ports, trick to discover this
	2
	3	==== TESO Informational =======================================================
	4	This piece of information is to be kept confidential.
	5	===============================================================================
	6
	7	Description ..........: Trick to hide UDP ports, trick to discover this
	8	Date .................: 2000/02/23 18:00
	9	Author ...............: scut
	10	Publicity level ......: unknown
	11	Affected .............: UDP/IP stack
	12	Type of entity .......: implementation
	13	Type of discovery ....: useful information
	14	Severity/Importance ..: low
	15	Found by .............: scut
	16
	17	Information ===================================================================
	18
	19	Many hacking tools operate as an UDP daemon, which listens on a UDP port for
	20	messages. Usually this open UDP ports are easily discovered through a simple
	21	UDP port scan. However, most hackers try to avoid detection by using a high
	22	port number which won't be scanned usually.
	23
	24	There is a better method of hiding UDP ports, by copying the behaviour of a
	25	closed UDP port: Just send a ICMP Port Unreachable packet each time a packet
	26	is received on the port. To do this you have to call an ICMP send routine
	27	directly after you have received an UDP packet. This ICMP send routine has to
	28	craft a Unreachable packet similar to the one the system would create and send
	29	it back to the source IP of the received UDP packet.
	30
	31	While this looks very stealthy it has a really cool flaw which is easy to
	32	oversee. Every IP packet, hence the ICMP packet too has to have an IP ID,
	33	which is linear on most systems. If you just fill in a random one in the ICMP
	34	packet you generate, your port can still be detected. To do this one will
	35	sequentially scan all UDP ports and collect all received ICMP unreachable
	36	packets. Then your artificial ICMP packets will be those which don't match
	37	into the mostly linear IP ID's of the other ICMP packets.
	38
	39	To avoid detection completely on a system whose kernel generates linear IP ID's
	40	you have to aquire the current IP ID before sending a bogus ICMP packet. This
	41	can be discovered remotely too, if you get the ID by sending a packet to a UDP
	42	port yourself and watch the IP ID in the ICMP unreachable packet send back to
	43	you: An IP ID increment value of two instead of one will be observed. To do
	44	this right a direct access to the current IP ID is required.
	45
	46	===============================================================================
	47