Re: ACK/th_win portscanning

[Lamont Granquist <lamontg () raven genome washington edu>]

On Sun, 12 Sep 1999, Keith R. Jarvis wrote:
> > Here's a patch to NMAP 2.3 BETA3 which impliments -sA which is similar in
> > function to a SYN scan, only it sends out packets with only the ACK bit
> > set and instead of looking for SYN|ACK or RST to differentiate between
> > open/closed ports it looks for th_win being either set (0xf000 or 0x8000)
> > or clear (0x0000).  It works against Digital Unix targets, and (i think)
> > IRIX 5.3.  It should report filtered ports correctly, unlike FIN scans.
> > I don't think it works against Solaris, HP-UX, Linux or IRIX>5.3 targets.
> > It is therefore of limited use, but what the hell...
>
> Applies cleanly to BETA5, too. Works against my IRIX 5.3 machine here but not 
> on the 6.5 machine in the other room (like you mentioned).  If you don't 
> mind me asking, what led to your uncertainty about it working against 5.3?

Well, IRIX 5.3 is the platform that I usually run nmap scan /from/.  I
only took the patch over to our Solaris 7 box and tried scanning the IRIX
5.3 box after I posted that message.  It doesn't scan our IRIX 6.2-6.4
boxes either.

> It does seem to work against HP-UX 10.20 but not Linux 1.2.13. I didn't get 
> a chance to get any captures, I'll try to do this and try some more machines 
> at work tomorrow.

Intersting, yeah, HP-UX 9.x seems to be vulnerable as well.  HP-UX 11.0
does not appear to be vulnerable.

> Neat patch.

Yeah, don't know how useful it is, since the only current version of an OS
that it seems to be effective against is Digital Unix.  With only the ACK
bit set it might be able to get through some firewall rules, though.

-- 
Lamont Granquist                       lamontg () genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka