Nmap Announce mailing list archives

Re: XXXX frequent check output (fwd)

From: Sebastian <scut () nb in-berlin de>
Date: Wed, 10 Feb 1999 20:32:06 +0100 (CET)


hi.

I'm surely no expert in scanning techniques but some thoughts came to my
mind after reading this.

First the port number, I think this is easy to explain, the author of the
scan program was just too lazy to do extra checking so he (or she :)
captures only packets with port 65535.

Since the flags are SYN and FIN, but no ACK, the tcp has two options,
either it treats the packet as if it would be a new connection or it
treats is as if it would be a connection close request.

If the first would be true it has two options also, it can choose among
either ignoring the FIN and normally responding with a simple SYN-ACK or
it may send a ACK-FIN, but in either case would create a new sequence
number.

If the implemented tcp thinks it is a close request it can ACK or FIN-ACK
it, but has problems determining the sequence number it has to use
because there were no ACK send with the first packet, and the connection
struct (if it thinks there is already a connection) stores the default
value used, or maybe a new sequence number is generated.

In conclusion, there are a lot of possible answers with probably can help
determining the remote operating system used.
(btw, if the information is not new but old shit discussed thousands of
times before I apologize :)

cu,
scut

-- 
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet  --
-- you don't need a lot of people to be great, you need a few great to be --
-- the best -----------------------------------------------------------------

On Wed, 10 Feb 1999 ark () eltex ru wrote:

Does anybody know what does it all mean? Looks like a new scan for me..
How is it expected to work?
imap as destination, weird source port and flags..
No other "strange" packets arrived as OS type checkers do.

Security Warnings summary
=-=-=-=-=-=-=-=-=-=-=-=-=
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on

    x.y.z.17:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>

Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on

    x.y.z.25:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>

Current thread:

XXXX frequent check output (fwd) ark (Feb 10)
- Re: XXXX frequent check output (fwd) Sebastian (Feb 10)
- RE: XXXX frequent check output (fwd) Dragos Ruiu (Feb 10)
- <Possible follow-ups>
- RE: XXXX frequent check output (fwd) Brown, Mark (Feb 10)
  - RE: XXXX frequent check output (fwd) Lamont Granquist (Feb 10)
  - RE: XXXX frequent check output (fwd) Igor Plavcak (Feb 10)