Port Scanning Without Sending Packets

Presented at DEF CON 19 (2011), Aug. 7, 2011, 11 a.m. (50 minutes)

With auto-configuration protocols now being added to operating systems and implemented by default in your network devices, hosts are now actively advertising their available attack surfaces to anyone listening on the network. By collecting background traffic on the network, and analyzing it, we can perform a host discovery, a port scan, and a host profile which even includes configuration information; all without sending any packets. This means that threats both inside and outside your network can assess and target your network hosts silently without leaving a trail. In this session, we'll start out by covering what makes this all possible, then examine typical network traffic to see what is made available to us, end up using several brand new tools that I have developed to utilize this information in an actual attack against a vulnerable network host, and finally finish our time discussing what you can as a network defender do about it.


  • Gregory Pickett - Penetration Tester, Hellfire Security
    Gregory Pickett CISSP, GCIA, GPEN, also known as rogu3ag3nt, is the lead Intrusion Analyst on the Abbott Laboratories Network Security team by day and a penetration tester for Hellfire Security by night. As a penetration tester, his primary areas of focus and occasional research are network and host penetration testing with an interest in using background network traffic to target and exploit network hosts using their own traffic against them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is.


Similar Presentations: