Nmap Development mailing list archives
Re: ACK Scans
From: Philippe Biondi <biondi () cartel-securite fr>
Date: Sun, 25 May 2003 17:16:55 +0200 (CEST)
On Fri, 23 May 2003, Triple Crown wrote:
I'm researching some snort archived files from last year and have keyed on some detects triggered by this snort rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP";flags:A;ack:0; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:1;) I've tried to reproduce the scan with nmap of sending a lone ACK flag with an acknowlegement number of 0 without any success. A google search lead me to this: http://archives.neohapsis.com/archives/snort/2000-08/0163.html Apparently there was a bug in an older version of nmap that would produce this type of scan. The date on the posts from the above URL suggest that the bug existed a few years back. Does anyone know if it is possible to reproduce this scan with nmap without the older version ? All of my testing with -PT or -sA resulted in what appears to be random ACK numbers On a side note - It may just be my ignorance of using the -PT flag properly but I found you can't do a -PT80 as suggested in the man pages to scan port 80, but by adding -p80 it works properly. Any help is appreciated.....
Use tcpdump to know exactly what are the sent packets and if they matrch your expectations. -- Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité Security Consultant/R&D http://www.cartel-securite.fr Phone: +33 1 44 06 97 94 Fax: +33 1 44 06 97 99 PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2 --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- ACK Scans Triple Crown (May 23)
- Re: ACK Scans Philippe Biondi (May 25)
- Re: ACK Scans Triple Crown (May 27)
- Re: ACK Scans Philippe Biondi (May 27)
- Re: ACK Scans Triple Crown (May 27)
- Re: ACK Scans Fyodor (Jun 13)
- Re: ACK Scans Philippe Biondi (May 25)