Nmap Development mailing list archives
Re: SYN Scan values - article
From: Felix Gröbert <felix () groebert org>
Date: Thu, 22 Jun 2006 10:33:10 +0200
Hi,
I think this article raises a good point, probably raised many times before. We just recently added an MSS of 1460 to the SYN scans, and I was wondering if we should change these values as well: Set the DF bit. Set the TTL to 64 or 128 or vary by OS Set the Window Size to 65535, 5840 or vary by OS.
yes, indeed a good point. On the other hand we do not want big packets. Maybe a --ids-evasive or -sSs(ecure) switch? It would be helpful to know which tcp parameters[2] are set on common syn[1] packets. Imho, wscale and sackok are often set. But this needs to be quantified.
I am just trying to think of ways to make our SYN scans stick out less to potential IDS rules. Curious on your thoughts.
Another problem, at least on stateful firewalls and intrusion detection systems, is the function void random_port_cheat(u16 *ports, int portcount) This function sorts the popular ports 21, 22, 23, 25, 53, 80, 113, 256, 389, 443, 554, 636, 1723, 3389 to the beginning of the scan. Unless -r is specified. I would suggest to circumvent this by using -T or -p $someinterresstingports. greets, Felix [1] http://syntest.psc.edu:7961/ [2] http://www.iana.org/assignments/tcp-parameters _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- SYN Scan values - article kx (Jun 21)
- Re: SYN Scan values - article Felix Gröbert (Jun 22)
- Re: SYN Scan values - article Martin Mačok (Jun 23)
- Re: SYN Scan values - article kx (Jun 24)
- Re: SYN Scan values - article Fyodor (Jun 24)
- Re: SYN Scan values - article Martin Mačok (Jun 25)
- Re: SYN Scan values - article kx (Jun 24)