Security Incidents mailing list archives
Re: any idea of the kiddie-script tool crafting these SYN-FIN packets to user selectable destination ports
From: Daniel Martin <dtmartin24 () HOME COM>
Date: Fri, 19 Jan 2001 16:10:27 -0500
r4gn4r0k <r4gn4r0k () TELUS NET> writes:
anyone know the name(s) and/or a url to find the tool? may be one tool or family of tools derived from the same base code (note the hand-crafted ID always = 39426 and the Advertised Window = 0x404) I'm trying to correlate what I'm seeing on snort with what my personal firwall is logging and I want to be able to generate the traffic myself (tired of having to wait hours or days between random tests to be farted out of the global sewer).
<SYN+FIN scan snipped> This looks like synscan. I know, that's my answer to everything lately, but it does. The original synscan 1.6 code generates TCP packets with an IP ID number of 666 and a TCP window size of 1028. (1028 == 0x404) The definitive answer, of course, would be if the SYN+FIN probe were immediately followed by a connection that simply grabbed the banner and then disconnected. (the original synscan then writes the banner information to a file and continues scanning) Now, as I had to hunt a slight bit to find out where in the source the TCP window was specified, whereas the ID number was in the source plain as day, it's likely that even the most C-programming-impared scriptie could change the ID number. Certainly, if I were looking at the source alone, not having had packets studied, and were trying to modify the program so as to not display the same signature as the original, I might miss the TCP window size but would definitely change the ID. (though I'd probably replace it with a randomly generated ID, but that's neither here nor there) synscan's source code used to be available from www.psychoid.lam3rz.de; however, it appears that that domain was removed from the DNS servers earlier this week, so search around for "synscan1.6.tar.gz" on google and you'll be able to find it. By the way, I was wrong recently on the list when I said that SYN+FIN followed by an immediate connection to get the banner was ramen wormsign. In fact, that's just synscan's behavior. (Note that the ramen worm has the potential to become the biggest user of the synscan tool). True ramen-worm sign would involve launching almost immediate attacks against RedHat systems after grabbing the banner. (wu-ftpd and rpc.statd exploits on 6.2 systems; LPRng attacks on RedHat 7 systems)
Current thread:
- Re: any idea of the kiddie-script tool crafting these SYN-FIN packets to user selectable destination ports Daniel Martin (Jan 21)