Re: ACK Scans

[Philippe Biondi <biondi () cartel-securite fr>]

On Fri, 23 May 2003, Triple Crown wrote:

> I'm researching some snort archived files from last year and have keyed on
> some detects triggered by this snort rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap
> TCP";flags:A;ack:0;
> reference:arachnids,28; classtype:attempted-recon; sid:628; rev:1;)
>
> I've tried to reproduce the scan with nmap of sending a lone ACK flag
> with an acknowlegement  number of 0 without any success.
>
> A google search lead me to this:
> http://archives.neohapsis.com/archives/snort/2000-08/0163.html
>
> Apparently there was a bug in an older version of nmap that would
> produce this type of
> scan. The date on the posts from the above URL suggest that the bug
> existed a few
> years back.
>
> Does anyone know if it is possible to reproduce this scan with nmap
> without the older
> version ? All of my testing with -PT or -sA resulted in what appears to
> be random
> ACK numbers
>
> On a side note -
> It may just be my ignorance of using the -PT  flag properly but I found
> you can't do
> a -PT80 as suggested in the man pages to scan port 80, but by adding
> -p80 it
> works properly.
>
> Any help is appreciated.....

Use tcpdump to know exactly what are the sent packets and if they matrch
your expectations.

-- 
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D                      http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94                     Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).