Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[XGS_Is_On]

Hi All,

Following on from another conversation on port scanning I remember placing a link that goes to my home IP on a web page and immediately watching the port scanning skyrocket.

I've also thought about all those VPN ads admonishing people to protect themselves against hackers.

These are of course nonsense. A public IP gives at most a general geographical area unless the registry's records have more information, and we all get scanned constantly.

So let's prove the point and if any of you guys have nmap and just really feel like giving it exercise: home.carltspeak.me - have at it. Port scan protection deactivated and I don't log incoming rejections as there's no point. I'm also going to speculate I'm fairly safe against denial of service.

The takehome from this is when people get all freaked out about the idea of someone getting their public IP: really not. With the added bonus that of course I can't be sure I've all bases covered and there's not a flaw somewhere in my edge: it's configured for performance not security.

With that I'm back off to Visio purgatory.

[meritez]

https://github.com/thesc1entist/j0lt

 

https://github.com/Backgammonian/DNS-Amplification-Attack

 

https://github.com/snowcra5h/j0lt-ddos-tool

Can I, Can I?

[XGS_Is_On]

Depends how much you value your freedom and, presumably, lack of a criminal record

[meritez]

So, free vps, install Tor, run attacks from a Tor exit node, done?

[XGS_Is_On]

Good luck finding a TOR exit node with the bandwidth!

It was suggested to me I run an exit node however I'd be responsible for the data flowing though it and, well, hard no.

[burakkucat]

So let's prove the point and if any of you guys have nmap and just really feel like giving it exercise: home.carltspeak.me - have at it. Port scan protection deactivated . . .

Currently "at it". 

Code: [Select]

root     14678 14673  0 17:32 pts/2    00:00:00 nmap -sV -sU -sS -O home.carltspeak.me


[burakkucat]

"It" proved to be remarkably uninteresting . . .

Code: [Select]

[bcat ~]$ sudo nmap -sV -sU -sS -O home.carltspeak.me
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-20 17:32 GMT

Nmap scan report for home.carltspeak.me (45.92.47.45)
Host is up (0.026s latency).
All 2000 scanned ports on home.carltspeak.me (45.92.47.45) are filtered (1000) or open|filtered (1000)
Too many fingerprints match this host to give specific OS details

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5025.18 seconds
[bcat ~]$


[XGS_Is_On]

Thanks for participating in my research.

Received exactly the results it should have.

[burakkucat]

I just used the basic-numpty options of nmap (-sV -sU -sS -O) rather than going full super-numpty (-sV -sU -sS -O -p0-). 

[burakkucat]

As I have a dynamic IP address from my service provider it is of no consequence for me to show my address from a prior day. So, just for fun, I decided to perform the same scan on myself (from one of a number of US located servers, to which I have access).

Code: [Select]

[bcat ~]# nmap -sV -sU -sS -O 2.99.167.58
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-21 14:33 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.61 seconds
[bcat ~]#

[bcat ~]# nmap -sV -sU -sS -Pn -O 2.99.167.58
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-21 14:34 UTC
Nmap scan report for host-2-99-167-58.as13285.net (2.99.167.58)
Host is up.
All 2000 scanned ports on host-2-99-167-58.as13285.net (2.99.167.58) are filtered (1000) or open|filtered (1000)
Too many fingerprints match this host to give specific OS details

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5444.22 seconds
[bcat ~]#

Once again the result proved to be remarkably uninteresting.

[Alex Atkin UK]

Code: [Select]

Host is up (0.012s latency).
Not shown: 999 open|filtered ports, 996 filtered ports
PORT      STATE  SERVICE        VERSION
443/tcp   open   ssl/ssl        Apache httpd (SSL-only mode)
465/tcp   closed smtps
5000/tcp  open   xmpp-transport Spectrum XMPP file transfer
5222/tcp  open   xmpp-client?
33459/udp closed unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5222-TCP:V=7.70%I=7%D=1/24%Time=63D0222F%P=x86_64-redhat-linux-gnu%
SF:r(GetRequest,E9,"<\?xml\x20version='1\.0'\?><stream:stream\x20xml:lang=
SF:'en'\x20id=''\x20xmlns:stream='http://etherx\.jabber\.org/streams'\x20x
SF:mlns='jabber:client'><stream:error><not-well-formed\x20xmlns='urn:ietf:
SF:params:xml:ns:xmpp-streams'/></stream:error></stream:stream>")%r(HTTPOp
SF:tions,E9,"<\?xml\x20version='1\.0'\?><stream:stream\x20xml:lang='en'\x2
SF:0id=''\x20xmlns:stream='http://etherx\.jabber\.org/streams'\x20xmlns='j
SF:abber:client'><stream:error><not-well-formed\x20xmlns='urn:ietf:params:
SF:xml:ns:xmpp-streams'/></stream:error></stream:stream>")%r(RTSPRequest,E
SF:9,"<\?xml\x20version='1\.0'\?><stream:stream\x20xml:lang='en'\x20id=''\
SF:x20xmlns:stream='http://etherx\.jabber\.org/streams'\x20xmlns='jabber:c
SF:lient'><stream:error><not-well-formed\x20xmlns='urn:ietf:params:xml:ns:
SF:xmpp-streams'/></stream:error></stream:stream>")%r(RPCCheck,E9,"<\?xml\
SF:x20version='1\.0'\?><stream:stream\x20xml:lang='en'\x20id=''\x20xmlns:s
SF:tream='http://etherx\.jabber\.org/streams'\x20xmlns='jabber:client'><st
SF:ream:error><not-well-formed\x20xmlns='urn:ietf:params:xml:ns:xmpp-strea
SF:ms'/></stream:error></stream:stream>")%r(DNSVersionBindReqTCP,E9,"<\?xm
SF:l\x20version='1\.0'\?><stream:stream\x20xml:lang='en'\x20id=''\x20xmlns
SF::stream='http://etherx\.jabber\.org/streams'\x20xmlns='jabber:client'><
SF:stream:error><not-well-formed\x20xmlns='urn:ietf:params:xml:ns:xmpp-str
SF:eams'/></stream:error></stream:stream>")%r(DNSStatusRequestTCP,E9,"<\?x
SF:ml\x20version='1\.0'\?><stream:stream\x20xml:lang='en'\x20id=''\x20xmln
SF:s:stream='http://etherx\.jabber\.org/streams'\x20xmlns='jabber:client'>
SF:<stream:error><not-well-formed\x20xmlns='urn:ietf:params:xml:ns:xmpp-st
SF:reams'/></stream:error></stream:stream>")%r(Help,E9,"<\?xml\x20version=
SF:'1\.0'\?><stream:stream\x20xml:lang='en'\x20id=''\x20xmlns:stream='http
SF:://etherx\.jabber\.org/streams'\x20xmlns='jabber:client'><stream:error>
SF:<not-well-formed\x20xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stre
SF:am:error></stream:stream>")%r(SSLSessionReq,E9,"<\?xml\x20version='1\.0
SF:'\?><stream:stream\x20xml:lang='en'\x20id=''\x20xmlns:stream='http://et
SF:herx\.jabber\.org/streams'\x20xmlns='jabber:client'><stream:error><not-
SF:well-formed\x20xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:er
SF:ror></stream:stream>");
Aggressive OS guesses: Linux 3.2 - 3.8 (90%), Linux 2.6.32 (90%), Linux 4.4 (90%), Linux 3.5 (89%), Linux 4.2 (89%), Synology DiskStation Manager 5.1 (89%), WatchGuard Fireware 11.8 (89%), Linux 4.0 (89%), Linux 2.6.32 - 3.0 (89%), Linux 2.6.32 or 3.10 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops
Nothing unexpected at least.

[XGS_Is_On]

Entirely unexpected. Everything should be silently dropped. I'm unsure why you saw responses but suspect it was due to the software being a tad generous with how it treats untracked flows. This has been removed from the ruleset and a new rule explicitly dropping new flows added.

[burakkucat]

At this point I have to say that I am not sure what address Alex has tested . . .

• XGS_Is_On's static address.
• The address that was associated with me back on the 21st of this month but is no longer associated with me.
• His own address.

I presume it is the result of a scan of his own address. (I.e. number 3.)

[Alex Atkin UK]

At this point I have to say that I am not sure what address Alex has tested . . .

• XGS_Is_On's static address.
• The address that was associated with me back on the 21st of this month but is no longer associated with me.
• His own address.

I presume it is the result of a scan of his own address. (I.e. number 3.)

Yes sorry I wasn't clear, I was following up on your post not XGS.

[XGS_Is_On]

Okay good. The one thing I have here running RHEL wasn't even powered on when you did that scan so that confused.