Nmap Development mailing list archives
Re: ACK Scans
From: Fyodor <fyodor () insecure org>
Date: Fri, 13 Jun 2003 16:00:52 -0700
On Fri, May 23, 2003 at 12:21:34PM -0400, Triple Crown wrote:
I'm researching some snort archived files from last year and have keyed on some detects triggered by this snort rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP";flags:A;ack:0; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:1;) I've tried to reproduce the scan with nmap of sending a lone ACK flag with an acknowlegement number of 0 without any success.
Nmap used to have this behavior, but the ACK number was changed to a more random value to be more stealthy. If you want to reproduce that again for some reason, you could use an old version of Nmap, modify the current version, or use a lower level packet probing tool like hping2.
On a side note - It may just be my ignorance of using the -PT flag properly but I found you can't do a -PT80 as suggested in the man pages to scan port 80, but by adding -p80 it works properly.
-PT80 only sets the port used for pinging. So yes, you do need to give port scan port number(s) as well via flags such as -p80. Cheers, -F --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- ACK Scans Triple Crown (May 23)
- Re: ACK Scans Philippe Biondi (May 25)
- Re: ACK Scans Triple Crown (May 27)
- Re: ACK Scans Philippe Biondi (May 27)
- Re: ACK Scans Triple Crown (May 27)
- Re: ACK Scans Fyodor (Jun 13)
- Re: ACK Scans Philippe Biondi (May 25)