268 0x400
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
MAC Address: 00:01:6C:EB:1D:50 (Foxconn)
Nmap finished: 1 IP address (1 host up) scanned in 1.462 seconds
matrix@euclid:~ $FIN Scan After the Kernel Modification
matrix@euclid:~ $ sudo nmap -T5 -sF 192.168.42.72
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-03-17 16:58 PDT
Interesting ports on 192.168.42.72:
Not shown: 1678 closed ports
PORT STATE SERVICE
MAC Address: 00:01:6C:EB:1D:50 (Foxconn)
Nmap finished: 1 IP address (1 host up) scanned in 1.462 seconds
matrix@euclid:~ $This works fine for scans that rely on RST packets, but preventing infor-
mation leakage with SYN scans and full-connect scans is a bit more difficult.
In order to maintain functionality, open ports have to respond with SYN/ACK
packets—there is no way around that. But if all of the closed ports also
responded with SYN/ACK packets, the amount of useful information an
attacker could retrieve from port scans would be minimized. Simply opening
every port would cause a major performance hit, though, which isn’t desirable.
Ideally, this should all be done without using a TCP stack. The following pro-
gram does exactly that. It’s a modification of the rst_hijack.c program, using
a more complex BPF string to filter only SYN packets destined for closed ports.
The callback function spoofs a legitimate looking SYN/ACK response to any
SYN packet that makes it through the BPF. This will flood port scanners with
a sea of false positives, which will hide legitimate ports.shroud.c
#include <libnet.h>
#include <pcap.h>
#include "hacking.h"
#define MAX_EXISTING_PORTS 30
void caught_packet(u_char , const struct pcap_pkthdr , const u_char );
int set_packet_filter(pcap_t , struct in_addr , u_short );
struct data_pass {
int libnet_handle;
u_char *packet;
};
int main(int argc, char argv[]) {
struct pcap_pkthdr cap_header;
const u_char packet, pkt_data;
pcap_t pcap_handle;