Nmap Announce mailing list archives
Follow up "nmap" scans
From: Lance Spitzner <lance () spitzner net>
Date: Mon, 22 May 2000 18:30:14 -0500 (CDT)
Early this morning I posted to the nmap group asking if a scan was nmap, and if not, what could it be. First, I apologize if I have digressed from the listserv, this will be my last posting on the thread. Second, thanks to everyone who responded, however the scan is not BO or BO2K related. First, the signatures again (captured with snort). 05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1 TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seq: 0xA1D95 Ack: 0x53 Win: 0x400 thru 05/20-17:06:45.071544 192.160.13.4:31337 -> 172.16.1.101:1024 TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seq: 0xA1D95 Ack: 0x53 Win: 0x400 The source of the packets is port 31337, scanning dest ports 1-1024. However, the packets are not BO. One, they are TCP (BO is UDP). Also, the packets are FIN/RST/PUSH, which no natural TCP stack would create. Also, I have this response from Dildog. --- snip snip --- A bo2k scanner would never come -from- port 31337. Something might scan -you- for sockets listening on 31337, but not the other way around. Regardless, this would have been BO, not BO2K, since BO2K doesn't have a default port. This just looks like a regular port scan to me with a fixed local port. --- end --- Second, I doubt that these are created by nmap. Note the same IP ID, Seq, Ack, and Win: numbers are used throughout the scan (a feature that I believe Fyodor fixed long ago). Also, I do not believe that nmap has a F/R/P TCP FLAG option. Third, the owner of the IP addressed told me that there is no system on 192.160.13.4, this means the packets were most likely spoofed. Very bizarred indeed. Once again, thanks for your input. If you have any ideas, I would love to hear from you, however please email me directly. I don't want to consume any more of Fyodor's bandwidth :) Thanks! Lance Spitzner http://www.enteract.com/~lspitz/papers.html
Current thread:
- Follow up "nmap" scans Lance Spitzner (May 22)
- Re: Follow up "nmap" scans Aaron Campbell (May 22)