Anyone experiencing troubles scanning through "LaBrea tarpitted" networks? Does anyone see any value in adding a check which looks for tarpits (perhaps a modification of ping_host.nasl or some other preliminary nasl check)? The code below has been working moderately well....
John Lampe
src = this_host();
dst = get_host_ip();
sport=3133;
dport=16504;
init_seq=2357;
init_ip_id = 1234;
filter = string("src port ", dport);
#our initial SYN packet
ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,
ip_src:this_host());
tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,
th_flags:TH_SYN, th_seq:init_seq,th_ack:0,
th_x2:0, th_off:5, th_win:2048, th_urp:0);
rep = send_packet(pcap_active : TRUE,
pcap_filter : filter,
pcap_timeout : 2,
tcp);
winsize = get_tcp_element(tcp:rep, element:"th_win");
if (winsize == 10) {
display ("Labrea found\n");
set_kb_item(name:"Host/dead", value:TRUE);
}
seq = get_tcp_element(tcp:rep, element:"th_seq");
ack = get_tcp_element(tcp:rep, element:"th_ack");
if (seq && ack) {
myack = seq + 1;
init_seq = init_seq + 1;
init_ip_id = init_ip_id + 1;
#our ACK to their SYN-ACK
ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,
ip_src:this_host());
tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,
th_flags:TH_ACK, th_seq:init_seq,th_ack:myack,
th_x2:0, th_off:5, th_win:2048, th_urp:0);
rep2 = send_packet(pcap_active : TRUE,
pcap_filter : filter,
pcap_timeout : 2,
tcp);
# handshake is complete
# read in their window size
# if they are in persist mode, we should now probe for window size
ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,
ip_src:this_host());
tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,
th_flags:TH_ACK, th_seq:init_seq,th_ack:myack,
th_x2:0, th_off:5, th_win:2048, th_urp:0, data:"H");
rep3 = send_packet(pcap_active : TRUE,
pcap_filter : filter,
pcap_timeout : 2,
tcp);
ack = get_tcp_element(tcp:rep3, element:"th_ack");
winsize = get_tcp_element(tcp:rep3, element:"th_win");
if ( (winsize==0) && (ack) ) {
display("Labrea found\n");
set_kb_item(name:"Host/dead", value:TRUE);
}
}
John Lampe
https://f00dikator.hn.org/
John Lampe
src = this_host();
dst = get_host_ip();
sport=3133;
dport=16504;
init_seq=2357;
init_ip_id = 1234;
filter = string("src port ", dport);
#our initial SYN packet
ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,
ip_src:this_host());
tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,
th_flags:TH_SYN, th_seq:init_seq,th_ack:0,
th_x2:0, th_off:5, th_win:2048, th_urp:0);
rep = send_packet(pcap_active : TRUE,
pcap_filter : filter,
pcap_timeout : 2,
tcp);
winsize = get_tcp_element(tcp:rep, element:"th_win");
if (winsize == 10) {
display ("Labrea found\n");
set_kb_item(name:"Host/dead", value:TRUE);
}
seq = get_tcp_element(tcp:rep, element:"th_seq");
ack = get_tcp_element(tcp:rep, element:"th_ack");
if (seq && ack) {
myack = seq + 1;
init_seq = init_seq + 1;
init_ip_id = init_ip_id + 1;
#our ACK to their SYN-ACK
ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,
ip_src:this_host());
tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,
th_flags:TH_ACK, th_seq:init_seq,th_ack:myack,
th_x2:0, th_off:5, th_win:2048, th_urp:0);
rep2 = send_packet(pcap_active : TRUE,
pcap_filter : filter,
pcap_timeout : 2,
tcp);
# handshake is complete
# read in their window size
# if they are in persist mode, we should now probe for window size
ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
ip_p:IPPROTO_TCP, ip_id:init_ip_id, ip_ttl:0x40,
ip_src:this_host());
tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:dport,
th_flags:TH_ACK, th_seq:init_seq,th_ack:myack,
th_x2:0, th_off:5, th_win:2048, th_urp:0, data:"H");
rep3 = send_packet(pcap_active : TRUE,
pcap_filter : filter,
pcap_timeout : 2,
tcp);
ack = get_tcp_element(tcp:rep3, element:"th_ack");
winsize = get_tcp_element(tcp:rep3, element:"th_win");
if ( (winsize==0) && (ack) ) {
display("Labrea found\n");
set_kb_item(name:"Host/dead", value:TRUE);
}
}
John Lampe
https://f00dikator.hn.org/