Re: any idea of the kiddie-script tool crafting these SYN-FIN packets to user selectable destination ports

[Joe Stewart <jstewart () LURHQ COM>]

On Fri, 19 Jan 2001, you wrote:
> anyone know the name(s) and/or a url to find the tool?
>
> may be one tool or family of tools derived from the same base code (note
> the hand-crafted ID always = 39426 and the Advertised Window = 0x404)

These look like Synscan 1.6 packets. The seemingly random IP ID of 39426
is actually supposed to be 666, but the original author of the packet code
forgot to change his ip_id variable from host to network byte-order.

Also, although it has not been publicly released, Synscan 1.7 has been found
to be part of the latest (unreleased) t0rnkit, and its signature is pretty
much the same, except it sends SYN instead of SYN-FIN. I believe it is still
vulnerable to the attack I described before using a forged packet from
microsoft.de to shut down the listener.

Also, there is a format-string buffer overflow in the DNS banner checking
code which could potentially lead to a remote root exploit on the scanning
box, under certain circumstances.

-Joe

--
Joe Stewart
Information Security Analyst
LURHQ Corporation
jstewart () lurhq com