Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
KJK::Hyperion ha scritto: Previous scanning worms, such as Code Red, spread via many threads, each invoking connect() to probe random addresses. what the hell is this? visiting the iniquity of the applications upon the protocols? Winsock is probably the only API that lets you connect() asynchronously I stand corrected! you can obviously use a non-blocking connect() with select(), as well. You wacky socket APIs, what predicament will you not get into! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
Isn't it true that a TCP packet is typically 20 bytes, and a UDP packet about 8? This is minus any additional data that has been added to the packet. If this is true, then depending on the size of the pipe your sending the data through, and the amount of congestion there might be, a UDP packet would more easily and quickly hit its destination. On Thu, Mar 6, 2008 at 8:15 AM, KJK::Hyperion [EMAIL PROTECTED] wrote: KJK::Hyperion ha scritto: Previous scanning worms, such as Code Red, spread via many threads, each invoking connect() to probe random addresses. what the hell is this? visiting the iniquity of the applications upon the protocols? Winsock is probably the only API that lets you connect() asynchronously I stand corrected! you can obviously use a non-blocking connect() with select(), as well. You wacky socket APIs, what predicament will you not get into! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
On Thu, 06 Mar 2008 09:13:05 EST, Static Rez said: Isn't it true that a TCP packet is typically 20 bytes, and a UDP packet about 8? This is minus any additional data that has been added to the packet. If this is true, then depending on the size of the pipe your sending the data through, and the amount of congestion there might be, a UDP packet would more easily and quickly hit its destination. If your network is so congested that the difference between a min-sized TCP packet and a min-sized UDP packet matters, you have *bigger* problems... (In reality, most NICs will refuse to blat out a packet much smaller than 64 bytes or so - there was a number of info-disclosure issues with some drivers that would try to send a 56 byte packet, and failed to zero out the 8 trailing bytes). pgp0tvQLOKTZc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
hey dude, how is merely sending a single datagram not going to be faster than doing an entire handshake? On Tue, Mar 4, 2008 at 12:53 AM, Sebastian Krahmer [EMAIL PROTECTED] wrote: This is not true. I doubt there is any measurable advantage of UDP vs. TCP scans if you do it right. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
dude, you don't need the entire handshake for tcp scanning. On Wed, Mar 5, 2008 at 2:54 PM, Andrew A [EMAIL PROTECTED] wrote: hey dude, how is merely sending a single datagram not going to be faster than doing an entire handshake? On Tue, Mar 4, 2008 at 12:53 AM, Sebastian Krahmer [EMAIL PROTECTED] wrote: This is not true. I doubt there is any measurable advantage of UDP vs. TCP scans if you do it right. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
Hi dude, On Wed, Mar 05, 2008 at 04:54:16AM -0800, Andrew A wrote: hey dude, how is merely sending a single datagram not going to be faster than doing an entire handshake? First, to know whether a TCP port is open you do not need a complete handshake. A single TCP packet is enough. I doubt that a single TCP packet is slower than a single UDP packet. Second you may need to send multiple (same) UDP packets since remote peer's rate limiting does not send you back ICMPs; all due to the unreliable nature of UDP. But the most important thing is, that if you do it large scale*, you have to wait for some sort of reply anyways, either TCP SYN|ACK or some application data. This time of waiting can be used to SYN/request yet another 10,000 hosts. Thus, how fast a scanner is does not depend on UDP or TCP, it depends on the upper protocols. Even complex protocols such as SSH can be spoken very quickly and only require a little more time (if at all) than walking a couple of SNMP OID's per host. 10,000+ hosts/s for a common application TCP protocol such as HTTP is easy. Do not bash me if a UDP app scan takes 10 minutes to succeed and I need 11, we talk about *differences* :-) * speaking about application level which needs some request/responses in both, UDP and TCP, cases regards, Sebastian -- ~ ~ perl self.pl ~ $_='print\$_=\47$_\47;eval';eval ~ [EMAIL PROTECTED] - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
Hi, all due to the unreliable nature of UDP. But the most important thing is, that if you do it large scale*, you have to wait for some sort of reply anyways, either TCP SYN|ACK or some application data. This time of waiting can be used to SYN/request yet another 10,000 hosts. Thus, how fast a scanner is does not depend on UDP or TCP, it depends on the upper protocols. it mainly depends on the implementation of the scanner. We did some large scale internet SNMP scanning some time ago [see http://www.ernw.de/content/e7/e181/e671/download690/ERNW_026_SNMP_HitB_Dubai_2007_ger.pdf] and used our own scanning tool [http://www.ernw.de/download/snmpattack.pl]. Within the different releases of the tool there were _big_ differences as for the scanning speed. thanks, Enno -- Enno Rey Check out www.troopers08.org! ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
That single UDP datagram is definitely faster. Compare the Code Red worm to Sapphire (SQL Slammer), for instance: Previous scanning worms, such as Code Red, spread via many threads, each invoking connect() to probe random addresses. Thus each thread's scanning rate was limited by network latency, the time required to transmit a TCP-SYN packet and wait for a response or timeout. In principal, worms can compensate for this latency by invoking a sufficiently large number of threads. However, in practice, context switch overhead is significant and there are insufficient resources to create enough threads to counteract the network delays -- the worm quickly stalls and becomes latency limited. In contrast, Sapphire's scanner was limited by each compromised machine's bandwidth to the Internet. Since the SQL Server vulnerability was exploitable using a single packet to UDP port 1434, the worm was able to send these scans without requiring a response from the potential victim. * http://www.caida.org/publications/papers/2003/sapphire/sapphire.html (Oops, sorry for the copy to your inbox, Andrew.) On 3/5/08, Andrew A [EMAIL PROTECTED] wrote: hey dude, how is merely sending a single datagram not going to be faster than doing an entire handshake? On Tue, Mar 4, 2008 at 12:53 AM, Sebastian Krahmer [EMAIL PROTECTED] wrote: This is not true. I doubt there is any measurable advantage of UDP vs. TCP scans if you do it right. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
sub ha scritto: Previous scanning worms, such as Code Red, spread via many threads, each invoking connect() to probe random addresses. what the hell is this? visiting the iniquity of the applications upon the protocols? Winsock is probably the only API that lets you connect() asynchronously (via the non-standard ConnectEx extension, but still). And if you have access to raw sockets, the whole point is moot because (IIRC) the advantages of SYN cookies work both ways (Oops, sorry for the copy to your inbox, sub. Blame the mailing list administrators, Thunderbird's clunky UI and my lazyness) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
No, but if you're querying the services for data you do. On 3/5/08, Dmitry [EMAIL PROTECTED] wrote: dude, you don't need the entire handshake for tcp scanning. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
On Tue, Mar 04, 2008 at 12:02:25AM +, Adrian P wrote: * Exploring the UNKNOWN: Scanning the Internet via SNMP! * http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp/ Hacking is not only about coming up with interesting solutions to problems, but also about exploring the unknown. It was this drive for knowledge philosophy that lead to surveying a significant sample of the Internet which allowed us to make some VERY interesting observations and get an idea of the current state of _remote SNMP hacking_. * Why SNMP? * 2.5 million random IP addresses were surveyed via SNMP. Why SNMP you might be asking? Well, there are several reasons. First of all SNMP is a UDP-based protocol which allows us to perform scanning at a much shorter time than via TCP-based protocols. Another advantage of This is not true. I doubt there is any measurable advantage of UDP vs. TCP scans if you do it right. 2.5 million addresses can be done in a very short coffee break. Sebastian -- ~ ~ perl self.pl ~ $_='print\$_=\47$_\47;eval';eval ~ [EMAIL PROTECTED] - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
Well, such statement is simply derived from my personal experience of doing application-layer UDP scanning. Never ran a proper benchmark to compare speed results to be honest. On Tue, Mar 4, 2008 at 8:53 AM, Sebastian Krahmer [EMAIL PROTECTED] wrote: On Tue, Mar 04, 2008 at 12:02:25AM +, Adrian P wrote: * Exploring the UNKNOWN: Scanning the Internet via SNMP! * http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp/ Hacking is not only about coming up with interesting solutions to problems, but also about exploring the unknown. It was this drive for knowledge philosophy that lead to surveying a significant sample of the Internet which allowed us to make some VERY interesting observations and get an idea of the current state of _remote SNMP hacking_. * Why SNMP? * 2.5 million random IP addresses were surveyed via SNMP. Why SNMP you might be asking? Well, there are several reasons. First of all SNMP is a UDP-based protocol which allows us to perform scanning at a much shorter time than via TCP-based protocols. Another advantage of This is not true. I doubt there is any measurable advantage of UDP vs. TCP scans if you do it right. 2.5 million addresses can be done in a very short coffee break. Sebastian -- ~ ~ perl self.pl ~ $_='print\$_=\47$_\47;eval';eval ~ [EMAIL PROTECTED] - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- pagvac | gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/