Nmap Announce mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Very cool scanning technique, nmap?

From: "Toby Miller" <infowar () erols com>
Date: Mon, 31 Jul 2000 23:03:13 -0700
It looks like queso. If you look at the SYN packets there are two that set
the reserved bits along with the the SYN flag. I am writing a paper on
hping2,nmap and queso and how to identify them in the wild. From my research
I have discovered the following about queso and the packets it sends out:
QUESO sends out
SYN's = 4 (2 of which set the reserved bits(13th byte of the tcp header)
SYN | ACK = 2
P = 2
SYN | FIN =2
FIN = 2
FIN | ACK = 2
Hopefully this helps,
                                                                    Toby



-----Original Message-----
From: Lance Spitzner <lance () spitzner net>
To: nmap-hackers () insecure org <nmap-hackers () insecure org>
Date: Sunday, July 30, 2000 9:35 PM
Subject: Very cool scanning technique, nmap?



Check this port scan out.  The guy is looking for open
ftp ports (21) on only two systems.  What makes this
scanning technique so unique is that the tool tries
a variety of different packet methods.   For example,
the first system he scans is .107 on port 21.  He tries
the following packet combos.

SYN/ACK
SYN
FIN
FIN/ACK
SYN/FYN
PSH

then repeat for system .101 on the same port, 21

Scanning guru's, any idea. nmap doesn't have this, does it?


07/19-08:28:04.572211 212.171.169.46:13921 -> 172.16.1.107:21
TCP TTL:239 TOS:0x0 ID:45258
**S***A* Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
7F 40 00 00 00 00                                .@....

07/19-08:28:04.580347 212.171.169.46:13920 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45257
**S***** Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
4B 85 70 36 1D 0C                                K.p6..

07/19-08:28:04.594902 212.171.169.46:13922 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45259
***F**** Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
30 FD 70 20 22 10                                0.p ".

07/19-08:28:04.615347 212.171.169.46:13923 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45260
***F**A* Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
1B 8E 70 8D 68 6D                                ..p.hm

07/19-08:28:04.633463 212.171.169.46:13924 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45261
**SF**** Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
51 D9 70 82 22 C6                                Q.p.".

07/19-08:28:04.655593 212.171.169.46:13925 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45262
*****P** Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
CF C4 70 83 A1 88                                ..p...

07/19-08:28:04.674717 212.171.169.46:13926 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45263
21S***** Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
07 91 70 13 72 1A                                ..p.r.

07/19-08:28:07.564938 212.171.169.46:25218 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56555
**S***** Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
6A C0 00 00 00 00                                j.....

07/19-08:28:07.575469 212.171.169.46:25219 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56556
**S***A* Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
69 FE 9A 39 1A EE                                i..9..

07/19-08:28:07.593808 212.171.169.46:25220 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56557
***F**** Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
92 D9 9A 64 D6 C2                                ...d..

07/19-08:28:07.615849 212.171.169.46:25221 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56558
***F**A* Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
16 D2 9A 89 7C 9B                                ....|.

07/19-08:28:07.634785 212.171.169.46:25222 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56559
**SF**** Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
75 44 9A 18 8D 07                                uD....

07/19-08:28:07.655469 212.171.169.46:25223 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56560
*****P** Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
5E E0 9A 18 5E 11                                ^...^.

07/19-08:28:07.674845 212.171.169.46:25224 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56561
21S***** Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
52 DE 9A 07 23 31                                R...#1

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).




--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: