Re: Very cool scanning technique, nmap?

[Mikael Olsson <mikael.olsson () enternet se>]

Lance Spitzner wrote:
> He tries the following packet combos:
>
> SYN/ACK
> SYN
> FIN
> FIN/ACK
> SYN/FYN
> PSH

... and at the end, he goes for a XMAS+YMAS+SYN packet..

By the way, the two first packets come SYN, SYN+ACK in the
second scan. I'm going to go ahead and assume that this
was the intended order:

SYN
SYN+ACK
FIN
FIN+ACK
SYN+FIN
PSH
XMAS+YMAS+SYN

Looking at the timings, it isn't too far fetched to assume
that the two first packets were simply reordered during
transit.

Weird scan, by the way. I can't really see how the 
combination would do any good. I'd guess that it's some
sort of brutish scanner that volleys everything in its
arsenal at the destination (sans NULL and ACK probes) and 
hopes for something in return to either one of the packets.

(It could be some old outdated DoS attack too. Who knows)

I'm not aware of any scanner behaving this way. Anyone else?

Maybe some digging in the incidents lists would show some
results.

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson () enternet se

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).