Re: SYN Scan values - article

[Martin Mačok <martin.macok () underground cz>]

On Wed, Jun 21, 2006 at 11:11:24PM -0400, kx wrote:

> Set the DF bit.

This raises a possibility that SYN packet will not get through,
doesn't it?

> Set the TTL to 64 or 128 or vary by OS

This way we could reveal the distance of the scanner from the target.
No big deal, though...

> Also, another thing I was wondering about, is what does our RST
> signature look like compared to real OSes?

Nmap doesn't generate RST by itself but (generally) it is being
generated by the OS the scanner is running on (as a response to
unsolicited SYN+ACK packets coming back from the target). Hence, the
RST should match the real OS the scanner is running on.

> I am just trying to think of ways to make our SYN scans stick out
> less to potential IDS rules. Curious on your thoughts.

Well, I think that we would still match from a behavior point of view
(too many SYNs to different ports over short time period).

Martin Mačok
ICT Security Consultant


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev