[11924] in bugtraq
Re: ACK/th_win portscanning
daemon@ATHENA.MIT.EDU (Johannes Erdfelt)
Thu Sep 16 03:57:03 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990915200231.C27904@sventech.com>
Date: Wed, 15 Sep 1999 20:02:32 -0400
Reply-To: Johannes Erdfelt <jerdfelt@SVENTECH.COM>
From: Johannes Erdfelt <jerdfelt@SVENTECH.COM>
X-To: Lamont Granquist <lamontg@RAVEN.GENOME.WASHINGTON.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SGI.4.10.9909151053200.1867-200000@raven.genome.washington.edu>; from Lamont Granquist on Wed,
Sep 15, 1999 at 11:18:56AM -0700
On Wed, Sep 15, 1999, Lamont Granquist <lamontg@RAVEN.GENOME.WASHINGTON.EDU> wrote:
>
> I just posted a patch to nmap to the nmap-hackers list which impliments
> yet another "stealth" scan. This one sends out packets with only the ACK
> bit set and looks for responses that either have th_win set to some value
> (0x1000, 0x2000, 0x4000 typically) or th_win is clear. Fyodor went
> through the nmap-os-fingerprints file and found that it was easy to use
> that database to find systems which are vulnerable to these kinds of
> scans.
>
> Vulnerable systems of note include:
> Digital Unix 4.0X
> FreeBSD <=4.0
> OpenBSD <=2.5.
> AIX <=4.3.2 (is this current?)
>
> Notable systems which are /NOT/ vulnerable include:
> Solaris (all?)
> IRIX 6.x
> HP-UX 11.0
> Linux (all?)
This is probably one of the oldest stealth scanning techniques out
there. In fact, the original (that I have found) email discussing this
was back in December of 1995 (!) by Darren Reed:
http://lists.gnac.net/firewalls/mhonarc/firewalls.9512/msg00089.html
A little snippet:
"When kernels based on BSD networking are targetted, a non-zero window is
returned for sockets which are listening. This is due to them (a) having a
non-zero window in the listening state and (b) a pointer, tp, being non-null
when passed to tcp_close() to send the RST. In case (b), tp points to the
listening socket.
Looking at the above table, we can scan for active listening ports quite
successfully, so long as we know what to expect back. In particular,
using a SYN-ACK instead of a SYN seems particularly fruitful."
In fact, this was the original email that got me started on writing sirc
in which I used this exact technique to fingerprint BSD based OS'.
JE
