[13400] in bugtraq
usual iploggers miss some variable stealth scans
daemon@ATHENA.MIT.EDU (vecna)
Mon Jan 17 23:03:41 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10001172001170.498-100000@0zZurT.whitehouse.gov>
Date: Mon, 17 Jan 2000 20:26:10 +0100
Reply-To: vecna <vecna@ITAPAC.NET>
From: vecna <vecna@ITAPAC.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
in November`99 more or less... i've discovered 5 type of new stealth scan,
with the modification of flags used normally on XMAS stealth scan.
the five type of packets that can be used for stealth scanning, and isn't
logged from the normal tcplogd/scanlogger have this flag:
URG
PUSH
URG+FIN
PUSH+FIN
URG+PUSH
this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one
flag set) cause the reply RST+ACK if port is closed, and no reply if
port is open. this is efective only against *nix system
i don't think that is an important tecnical notice... but most tcp logger
must be upgraded/reconfigurated.
i've coded patch for nmap-2.12, check http://vecna.unix.kg
Bye.
vecna
