smurf.BIP-hunting-nmap.txt

1999-08-17T00:00:00
ID PACKETSTORM:12375
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Thu, 31 Dec 1998 15:22:14 -0500  
From: Fyodor <fyodor@DHP.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: netscan.org - broadcast ICMP list  
  
> http://netscan.org has the first (relatively) complete database of ICMP  
> directed broadcast networks ("smurf amplifiers"). All allocated IP  
> addresses ending in .0 or .255 have been pinged and measured  
  
On their page they say they are not going to release the scanner they use  
to test networks for the problem -- people should use their web query form  
instead. This is unfortunate because the query form (like their database)  
seems to only check .0 and .255 addresses. Also it only seems to do class  
'C' addresses, meaning that you have to type in 256 addresses, one at a  
time, to do a class 'B'.  
  
To save people this effort, I thought I'd mention that for the last 9  
months nmap has had the capability to locate smurf addresses on your  
network. It allows you to specify which addresses to ping and it does the  
scan in parallel using the ICMP ping ID and sequence number to demultiplex  
the responses.  
  
As a quick example, lets say you run the class 'B' 209.12 (I picked this  
as a "random" occupied net -- use your own numbers). You want to include  
6-bit subnets, so you want to check addresses ending in  
0,63,64,127,128,191,192, or 255.  
  
The command you would use is:  
  
nmap -n -sP -PI -o smurf.log '209.12.*.0,63,64,127,128,191,192,255'  
  
>From my machine it took 3 minutes to find 392 smurf addresses. Notice  
that 209.12.147.127, 209.12.17.63, 209.12.228.191 all have at least 20X  
amplification, and these addresses would not be discoverd by checking only  
.0 and .255 addresses.  
  
Some admins have told me they run nmap every day or week from cron to warn  
them of new machines popping up on their network, new ports opening up,  
new smurf addresses, boxes that change their operating systems, etc.  
  
Nmap can be obtained from http://www.insecure.org/nmap/ .  
  
Cheers,  
Fyodor  
  
  
--  
Fyodor 'finger pgp@www.insecure.org | pgp -fka'  
"Girls are different from hacking. You can't just brute force them if all  
else fails." --SKiMo, quoted in _Underground_ (good book)  
  
`