Nmap Development mailing list archives

Re: SYN Scan values - article

From: kx <kxmail () gmail com>
Date: Sun, 25 Jun 2006 00:16:19 -0400

Martin,
  Awesome points.   I suppose I am thinking about single packet
characterization that this packet is from an nmap SYN scan.

  Does anyone have any packet logs to say how often the DF bit is set
in the first SYN. I think I was seeing it always set on Linux and
Windows XP.

  I agree with TTL, no need to change it.

  What did you think about changing the default Windows Size?

  Re: the RSTs, is it better to allow the host OS to send RSTs or not?
 I suppose if you use decoys, and they are all real hosts responding
with RSTs, you would want to as well so you wouldn't stick out, but
what about other cases?  Just curious on your and others' thoughts.

Cheers,
  kx

On 6/23/06, Martin Mačok <martin.macok () underground cz> wrote:

On Wed, Jun 21, 2006 at 11:11:24PM -0400, kx wrote:

Set the DF bit.


This raises a possibility that SYN packet will not get through,
doesn't it?

Set the TTL to 64 or 128 or vary by OS


This way we could reveal the distance of the scanner from the target.
No big deal, though...

Also, another thing I was wondering about, is what does our RST
signature look like compared to real OSes?


Nmap doesn't generate RST by itself but (generally) it is being
generated by the OS the scanner is running on (as a response to
unsolicited SYN+ACK packets coming back from the target). Hence, the
RST should match the real OS the scanner is running on.

I am just trying to think of ways to make our SYN scans stick out
less to potential IDS rules. Curious on your thoughts.


Well, I think that we would still match from a behavior point of view
(too many SYNs to different ports over short time period).

Martin Mačok
ICT Security Consultant


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

Current thread:

SYN Scan values - article kx (Jun 21)
- Re: SYN Scan values - article Felix Gröbert (Jun 22)
- Re: SYN Scan values - article Martin Mačok (Jun 23)
  - Re: SYN Scan values - article kx (Jun 24)
    - Re: SYN Scan values - article Fyodor (Jun 24)
    - Re: SYN Scan values - article Martin Mačok (Jun 25)