By using the OpenBSD packet filter pf, one can utilize the NAT address pools added into OpenBSD 3.3 to aid in distributed port scanning.
8a31bcc028af2e38e08d090044b50741b4a83069781ec6191a41a5c751b115ab
Network Penetration
networkpenetration.com
Copyright (c) 2003 Ste Jones
root@networkpenetration.com
Distributed port scanning using OpenBSD's packet filter (Another good reason to use OpenBSD)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
By using openBSD's packet filter pf one can utilize the NAT address pools added into OpenBSD 3.3 to aid in distributed port scanning.
How it works
::::::::::::
http://www.openbsd.org/faq/pf/pools.html#nat - NAT Address Pool
As the text explains NAT can be used in a large network to split outgoing connections over multiple source IP addresses. Under normal circumstances NAT is
normally used to hide a internal network behind a single external public IP address. By using multiple external IP addresses a host on the internal network
can port scan with multiple source IP's.
Technical Breakdown
::::::::::::::::::-
1. Port scan from internal network: send a SYN packet to a target to initiate a connection. The packets source IP address for example 192.168.0.1.
2. Packet passes through NAT gateway: The packets source IP address is now changed to the external IP assigned to the NAT gateway. Each new connection passing
through the gateway has its source IP address translated to the one / many IP addresses assigned to the NAT gateway. For example 1.1.1.*
3. The packet reaches the host and reply is returned to the NAT gateway. The packet returned has a destination IP address of the external interface on the NAT
gateway. So in this example 1.1.1.1
4. The NAT gateway translates this packets destination IP address back to 192.168.0.1 and the packet is sent to the source.
OpenBSD 3.3 Pf setup
::::::::::::::::::::
Replace your existing NAT rule for the one below. This enables PF to do NAT translation over multiple source IP addresses. It has its problems with things
such as web page connection tracking. Check the OpenBSD FAQ for more info.
nat on $ext_if inet from any to any -> { x.x.x.a, x.x.x.b, x.x.x.c }
You will probably have to tweak some of your other rules to get it working correctly
You will also need to edit your /etc/hostname.interface file
inet x.x.x.a 255.255.255.0 NONE
inet alias x.x.x.b 255.255.255.0 NONE
inet alias x.x.x.c 255.255.255.0 NONE
This is all performed by PF's stateful connection tracking.... thanks guys
Note: I presume this would also work on a single machine running pf :)
Thanks to HacK of LuB for letting me abuse his firewall
Original Document can be found at http://www.networkpenetration.com/pfdistnatscan.html