Re: ACK Scans

[Fyodor <fyodor () insecure org>]

On Fri, May 23, 2003 at 12:21:34PM -0400, Triple Crown wrote:
> I'm researching some snort archived files from last year and have keyed on
> some detects triggered by this snort rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap 
> TCP";flags:A;ack:0;
> reference:arachnids,28; classtype:attempted-recon; sid:628; rev:1;)
>
> I've tried to reproduce the scan with nmap of sending a lone ACK flag 
> with an acknowlegement  number of 0 without any success.

Nmap used to have this behavior, but the ACK number was changed to a
more random value to be more stealthy.  If you want to reproduce that
again for some reason, you could use an old version of Nmap, modify
the current version, or use a lower level packet probing tool like
hping2.

> On a side note -
> It may just be my ignorance of using the -PT  flag properly but I found 
> you can't do 
> a -PT80 as suggested in the man pages to scan port 80, but by adding 
> -p80 it
> works properly.

-PT80 only sets the port used for pinging.  So yes, you do need to
 give port scan port number(s) as well via flags such as -p80.

Cheers,
-F

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).