Nmap Development mailing list archives
Re: SYN Scan values - article
From: kx <kxmail () gmail com>
Date: Sun, 25 Jun 2006 00:16:19 -0400
Martin, Awesome points. I suppose I am thinking about single packet characterization that this packet is from an nmap SYN scan. Does anyone have any packet logs to say how often the DF bit is set in the first SYN. I think I was seeing it always set on Linux and Windows XP. I agree with TTL, no need to change it. What did you think about changing the default Windows Size? Re: the RSTs, is it better to allow the host OS to send RSTs or not? I suppose if you use decoys, and they are all real hosts responding with RSTs, you would want to as well so you wouldn't stick out, but what about other cases? Just curious on your and others' thoughts. Cheers, kx On 6/23/06, Martin Mačok <martin.macok () underground cz> wrote:
On Wed, Jun 21, 2006 at 11:11:24PM -0400, kx wrote:Set the DF bit.This raises a possibility that SYN packet will not get through, doesn't it?Set the TTL to 64 or 128 or vary by OSThis way we could reveal the distance of the scanner from the target. No big deal, though...Also, another thing I was wondering about, is what does our RST signature look like compared to real OSes?Nmap doesn't generate RST by itself but (generally) it is being generated by the OS the scanner is running on (as a response to unsolicited SYN+ACK packets coming back from the target). Hence, the RST should match the real OS the scanner is running on.I am just trying to think of ways to make our SYN scans stick out less to potential IDS rules. Curious on your thoughts.Well, I think that we would still match from a behavior point of view (too many SYNs to different ports over short time period). Martin Mačok ICT Security Consultant _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- SYN Scan values - article kx (Jun 21)
- Re: SYN Scan values - article Felix Gröbert (Jun 22)
- Re: SYN Scan values - article Martin Mačok (Jun 23)
- Re: SYN Scan values - article kx (Jun 24)
- Re: SYN Scan values - article Fyodor (Jun 24)
- Re: SYN Scan values - article Martin Mačok (Jun 25)
- Re: SYN Scan values - article kx (Jun 24)