Re: any idea of the kiddie-script tool crafting these SYN-FIN packets to user selectable destination ports

[Daniel Martin <dtmartin24 () HOME COM>]

r4gn4r0k <r4gn4r0k () TELUS NET> writes:
> anyone know the name(s) and/or a url to find the tool?
>
> may be one tool or family of tools derived from the same base code
> (note the hand-crafted ID always = 39426 and the Advertised Window =
> 0x404)
>
> I'm trying to correlate what I'm seeing on snort with what my
> personal firwall is logging and I want to be able to generate the
> traffic myself (tired of having to wait hours or days between random
> tests to be farted out of the global sewer).

<SYN+FIN scan snipped>

This looks like synscan.  I know, that's my answer to everything
lately, but it does.  The original synscan 1.6 code generates TCP
packets with an IP ID number of 666 and a TCP window size of
1028. (1028 == 0x404)  The definitive answer, of course, would be if
the SYN+FIN probe were immediately followed by a connection that
simply grabbed the banner and then disconnected.  (the original
synscan then writes the banner information to a file and continues
scanning)

Now, as I had to hunt a slight bit to find out where in the source the
TCP window was specified, whereas the ID number was in the source
plain as day, it's likely that even the most C-programming-impared
scriptie could change the ID number.  Certainly, if I were looking at
the source alone, not having had packets studied, and were trying to
modify the program so as to not display the same signature as the
original, I might miss the TCP window size but would definitely change
the ID.  (though I'd probably replace it with a randomly generated ID,
but that's neither here nor there)

synscan's source code used to be available from
www.psychoid.lam3rz.de; however, it appears that that domain was
removed from the DNS servers earlier this week, so search around for
"synscan1.6.tar.gz" on google and you'll be able to find it.

By the way, I was wrong recently on the list when I said that SYN+FIN
followed by an immediate connection to get the banner was ramen
wormsign.  In fact, that's just synscan's behavior.  (Note that the
ramen worm has the potential to become the biggest user of the synscan
tool).  True ramen-worm sign would involve launching almost immediate
attacks against RedHat systems after grabbing the banner. (wu-ftpd and
rpc.statd exploits on 6.2 systems; LPRng attacks on RedHat 7 systems)