On Tue, 07 Sep 2010 09:03:12 EDT, Jamie Bowden said:
Now, on to the topic at hand. Why would you scan the address space in the first place? Wouldn't it be easier to compromise a known host and look at the ARP table? Or better yet, the router on the edge? If it's moving packets, something on the network has mapped the MAC address to its IP at some point.
Remember that although there are some truly scary black hats out there, the vast majority of them are even less technically savvy than your average trainee banana eater, and will do things so mind-bogglingly stupid that you have to roll a saving throw at -5 to disbelieve ;) True incident I worked on sometime last century: I get called about this AIX box, it's been hosed for "a while", and they can't login to run the one application they ran literally once a year that they kept this box around for. Preliminary indications are /etc/passwd is scrozzled. So I boot off an install CD and start looking. Takes about 10 seconds to figure out the box was hacked. I'm amazed - the machine wasn't fully hardened, and was *way* behind on patches. On the other hand, it *was* at least tcp-wrappered, and the attacker managed to fingerprint it as an AIX box without setting any of the wrappers off. The guy whacked it with either a telnetd or ftpd exploit, and by looking at process accounting, I was able to verify it worked on the *first* try. I'm suitably impressed at this point - even 15 years ago, AIX wasn't common enough that most black hats kept exploits in their back pockets (much less know enough to use them on the first try). Guy whacks the box on the very first try, and then it gets interesting. Guy says 'cat > /etc/paswd^[[D^[[Dswd' because he doesn't realize his exploit rootshell doesn't have line editing. Guy tries to get in on a second session, realizes his attempt to set a root backdoor didn't work, so he does this for his second try: cat > /etc/passwd foo::1:0::/: ^D Yep. 1. Not zero. And > not >>. So then when he tries to come in via telnet again, inetd won't do it because inetd.conf says 'root' and there's no 'root' in /etc/passwd anymore. Actual forensics work: about 15 mins. Convincing myself it was a damned lucky ankle-biter and not a uberhacker leaving a false trail: most of an 8-hour day. Or as I said on another list - "Sometimes the data makes a lot more sense if you ask yourself 'What if the Three Stooges were hackers?'". And there's no indication that the bell curve of black hat clue levels has shifted any since last century.