Re: SYN Scan values - article

[Felix Gröbert <felix () groebert org>]

Hi,

> I think this article raises a good point, probably raised many times
> before. We just recently added an MSS of 1460 to the SYN scans, and I
> was wondering if we should change these values as well:
>
> Set the DF bit.
> Set the TTL to 64 or 128 or vary by OS
> Set the Window Size to 65535, 5840 or vary by OS.

yes, indeed a good point. On the other hand we do not want big packets.
Maybe a --ids-evasive or -sSs(ecure) switch?

It would be helpful to know which tcp parameters[2] are set on common
syn[1] packets. Imho, wscale and sackok are often set. But this needs to
be quantified.

> I am just trying to think of ways to make our SYN scans stick out less
> to potential IDS rules. Curious on your thoughts.

Another problem, at least on stateful firewalls and intrusion detection
systems, is the function
  void random_port_cheat(u16 *ports, int portcount)

This function sorts the popular ports
  21, 22, 23, 25, 53, 80, 113, 256, 389, 443, 554, 636, 1723, 3389
to the beginning of the scan. Unless -r is specified.

I would suggest to circumvent this by using -T or -p
$someinterresstingports.


        greets, Felix

[1] http://syntest.psc.edu:7961/
[2] http://www.iana.org/assignments/tcp-parameters


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev