Nmap Announce mailing list archives
Re: Very cool scanning technique, nmap?
From: Mikael Olsson <mikael.olsson () enternet se>
Date: Mon, 31 Jul 2000 14:59:41 +0200
Lance Spitzner wrote:
He tries the following packet combos: SYN/ACK SYN FIN FIN/ACK SYN/FYN PSH
... and at the end, he goes for a XMAS+YMAS+SYN packet.. By the way, the two first packets come SYN, SYN+ACK in the second scan. I'm going to go ahead and assume that this was the intended order: SYN SYN+ACK FIN FIN+ACK SYN+FIN PSH XMAS+YMAS+SYN Looking at the timings, it isn't too far fetched to assume that the two first packets were simply reordered during transit. Weird scan, by the way. I can't really see how the combination would do any good. I'd guess that it's some sort of brutish scanner that volleys everything in its arsenal at the destination (sans NULL and ACK probes) and hopes for something in return to either one of the packets. (It could be some old outdated DoS attack too. Who knows) I'm not aware of any scanner behaving this way. Anyone else? Maybe some digging in the incidents lists would show some results. -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05 Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50 WWW: http://www.enternet.se/ E-mail: mikael.olsson () enternet se -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Very cool scanning technique, nmap? Lance Spitzner (Jul 30)
- Re: Very cool scanning technique, nmap? Mikael Olsson (Jul 31)
- <Possible follow-ups>
- RE: Very cool scanning technique, nmap? J. Oquendo (Jul 31)
- Re: Very cool scanning technique, nmap? Toby Miller (Jul 31)