Securebits Blog

IP spoofing is one of the techniques used by attackers to perform different attacks. It could be used while flooding a network, SYN-attacking a server, generating IDS false positives, etc. The rule when spoofing the source IP address is that replies do not matter to the attacker since replies will be sent to the spoofed IP and will not reach the attacker. Implementing an attack that requires an interactive communication between the attacker’s machine and the victim cannot take place with a spoofed IP address.

Port scanning is the technique to discover open ports on a remote system. To discover an open TCP port, the attacker needs to send a TCP SYN packet to a specific port and receive one packet back. If the received packet is a SYN_ACK packet, the port is open. If the received packet is a RST packet, the port is closed. If no reply is received, the port is filtered by a firewall or any other filtering engine. The reply packet, whether it is a SYN_ACK or RST, must reach the attacker’s machine so that it will be examined. This requires that the received packet is destined to the IP address of the attacker’s machine (or at least an IP address that is under control of the attacker) which in turn requires that the scanning packet sent by the attacker contains the actual source IP address of the attacker. So, the basic operation of port scanning cannot be done with a spoofed IP address.

Nmap, the infamous port scanner, can send spoofed scan packets. However, it is not meant as a reliable scan. Meaning, the attacker will not get reliable results of his/her scan. Such spoofed scan can be used to elude the IDS/IPS and generate huge amount of signatures. Also, it could be used as a way to divert the attention of the target corporate organization to another competitor organization; the spoofed scan will appear as if it is coming from the competitor organization.

However, the question is: can we have spoofed port scanning that is reliable? The answer is ‘Yes’ but with the following two constraints:
[1] The port scan should be conducted internally within a LAN; for example, the port scan can be part of an internal security audit or penetration test. The technique used to achieve this reliable spoofed port scan cannot be implemented over a WAN.
[2] The spoofed IP addresses used during the port scan should fall within the range of the local subnet. For example, if the attacker’s machine is in class C (255.255.255.0), he/she can use any of the 253 valid IP addresses within the subnet range; if subnet is a class B (255.255.0.0), the pool of valid spoofed IP addresses is 65533.

The technique to achieve this reliable spoofed port scan is based on integrating ARP poisoning with port scanning. ARP poisoning refers to the ability of the attacker to insert a fake entry in the ARP cache of the victim machine. This fake entry links an IP address, which is within the same subnet range of the victim’s machine, with a false MAC address. The entry will cause any traffic destined to that particular IP address to be destined, at layer 2, to the machine with the MAC address associated with the IP address. An attacker will typically insert fake entries that link different IP addresses to the MAC address of his/her machine; thus, all local traffic will be delivered to his/her machine. A typical use of ARP poisoning is to achieve layer 2 traffic interception between two machines (either of them could be even a router or gateway.)

The process of doing a reliable spoofed port scanning works by poisoning the ARP cache of the remote machine with a false entry that links the spoofed source IP address used in the scanning with the MAC address of the attacker’s machine. For every spoofed source IP used, the attacker needs to inject a fake ARP entry for it. It is also important to note that there is a difference between scanning a system that is located within the local subnet and a system that is in a different subnet. When scanning a system located locally, the ARP cache of this machine needs to be poisoned; however, when scanning a system located outside the local subnet, the ARP cache of the router/gateway is what needs to be poisoned. This is because the ARP protocol functions at layer 2 which cannot be routed externally to other networks.

To effectively poison an ARP cache of a remote machine, two ARP packets at maximum are needed or one ICMP packet and one ARP packet. In the case of two ARP packets, the first one is an ARP request while the second is an ARP reply. Both packets contain the following arguments: the destination MAC address is the victim MAC address, the source MAC address is the attacker’s MAC address, the destination IP address is the victim’s IP address, and the source IP address is the spoofed IP address which the attacker wants to inject. For example, let’s assume the following scenario:
a. The victim’s IP address is 10.10.10.10
b. The victim’s MAC address is aa:aa:aa:bb:bb:bb
c. The attacker’s IP address is 10.10.10.3
d. The attacker’s MAC address is bb:bb:bb:cc:cc:cc
e. The attacker wants to intercept traffic going from the victim to 10.10.10.50

The attacker, then, sends two ARP packets (the first is ‘Query’ and the second is ‘Reply’) to the victim with the following arguments:
a. Source IP is 10.10.10.50
b. Destination IP is 10.10.10.10
c. Source MAC is bb:bb:bb:cc:cc:cc
d. Destination MAC is aa:aa:aa:bb:bb:bb

These two packets will inject the following spoofed entry in the ARP cache of the remote machine:
10.10.10.50 is at bb:bb:bb:cc:cc:cc

This will cause any packet sent by the victim machine (10.10.10.10) to 10.10.10.50 to be switched at layer 2 to the attacker’s machine.

By integrating the technique of “ARP Poisoning” into “Port Scanning”, we can have a reliable spoofed source IP port scanning. What is needed is to poison the remote machine (or the gateway) with a fake entry that links every used spoofed source IP with the attacker’s MAC address. Such will cause any scan reply to be delivered to the scanning machine. The algorithm for the whole process of spoofed scanning would be as follows:
1. Check whether the scan target is within the local subnet or outside.
2. If it is within the local subnet, the “poisoning target” is the same as the “scan target”. If the “scan target” is outside the local subnet, then the “poisoning target” is the “gateway”
3. Generate a random spoofed source IP that falls within the local subnet.
4. ARP-poison the “poisoning target” with a fake entry that directs all traffic destined to the spoofed IP to the attacker’s machine.
5. Send the scan packet to the “scan target”
6. Wait for a reply with the same MAC address as the attacker’s MAC address.

Generating different spoofed IP with every scanning packet (one packet for one port) would make the scan appear as if it is distributed between multiple (fake) systems. H.K. has generated a live image with Etherapp tool representing the distribution of the spoofed port scanning: