-----BEGIN PGP SIGNED MESSAGE----- We just recently got hit by a bunch of port 0 scans of IMAP. A sample packet dumped from tcpdump looks like this: 08:59:26.428386 195.2.130.209.0 > chocolate.hitl.washington.edu.imap: SF 973406208:973406208(0) win 512 4500 0028 5f02 0000 e906 621b c302 82d1 E..(_...i.b.C..Q 805f 4a7f 0000 008f 3a05 0000 0000 0000 ._J.....:....... 5003 0200 629b 0000 0000 0000 0000 P...b......... Note that both the source port is zero, and they've turned on both TH_SYN and TH_FIN on the packet. Both of these are undoubtably in an attempt to bypass a firewall. It shoudl also be noted that the attacker probably downloaded DNS records and fed those into the probe script. On every IP stack I've checked (except for this strange DEClaser 3200 printer), the SYN+FIN scan is equivalent to a SYN scan (aka "probe" aka "half-open scan"). In general a SYN packet can have any of FIN, PSH or URG flags turned on as long as ACK and RST are turned off and IP stacks will typically respond to them as a SYN packet (at least for the purposes of initial handshaking). Major exception to this is Solaris (2.5.1 and 2.6) where turning on URG will cause packets to open ports to be dropped, but SYN + [FIN] + [PSH] will otherwise work. Uriel Maimon (Phrack P49-15) FIN scan behavior (close port = RST, open port = dropped) can also be seen with the PSH, URG or simply with a TCP packet with no flags (and all 8 permutations of FIN|PSH|URG). Generally the machines that FIN scanning does not work against (IRIX, Win95/WinNT, HP-UX) are not vulnerable to any of these alternative forms of scanning. The only remaining oddity i've found is HP-UX which allows for an 'ACK' scan (ACK + anything other than RST) which returns a different value of th_win depending on if the recieving port is open or closed. While most TCP/IP stacks are pretty similar (either 'FIN-scannable' or 'not-FIN-scannable') for the purposes of scanning, you can get a lot of information on what kind of OS the machine might be by looking at the returned packets from going through all the different 64 combinations of TCP/IP flags (c.f 'active probing', Comer+Lin, etc.). I've got a short bit of code at: http://www.hitl.washington.edu/people/lamontg/tft.c Which will 'excersize' a target machine's TCP stack and report back possible flag combinations that might be useful to use to scan the machine for open or closed ports. - -- Lamont Granquist <lamontgat_private> (206)616-1469 fax:(206)543-5380 Human Interface Technology Lab. University of Washington. Seattle, WA PGP pubkey: finger -l lamontgat_private | pgp -fka -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNaMc6yGfPhFbK8mBAQFAIwQAoBzieXcJeFIlvx6ipSlpJverQCGsnMcf N8eT3zM5LeAjP0xEPSIsfIFSw5xwqzZNgxABT2bw1w7iA4rKP4KW8XWuYm00V7cA PQQd5nyJa9yb1Uzj3Kfa4Jh/8Ssp3On5qT9UsfkkFFgVm/DcY39h5O+y3Hv8WB1E rbIXMKd5eeg= =qdti -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:17 PDT