On Wed, Sep 15, 1999, Lamont Granquist <lamontgat_private> wrote: > > I just posted a patch to nmap to the nmap-hackers list which impliments > yet another "stealth" scan. This one sends out packets with only the ACK > bit set and looks for responses that either have th_win set to some value > (0x1000, 0x2000, 0x4000 typically) or th_win is clear. Fyodor went > through the nmap-os-fingerprints file and found that it was easy to use > that database to find systems which are vulnerable to these kinds of > scans. > > Vulnerable systems of note include: > Digital Unix 4.0X > FreeBSD <=4.0 > OpenBSD <=2.5. > AIX <=4.3.2 (is this current?) > > Notable systems which are /NOT/ vulnerable include: > Solaris (all?) > IRIX 6.x > HP-UX 11.0 > Linux (all?) This is probably one of the oldest stealth scanning techniques out there. In fact, the original (that I have found) email discussing this was back in December of 1995 (!) by Darren Reed: http://lists.gnac.net/firewalls/mhonarc/firewalls.9512/msg00089.html A little snippet: "When kernels based on BSD networking are targetted, a non-zero window is returned for sockets which are listening. This is due to them (a) having a non-zero window in the listening state and (b) a pointer, tp, being non-null when passed to tcp_close() to send the RST. In case (b), tp points to the listening socket. Looking at the above table, we can scan for active listening ports quite successfully, so long as we know what to expect back. In particular, using a SYN-ACK instead of a SYN seems particularly fruitful." In fact, this was the original email that got me started on writing sirc in which I used this exact technique to fingerprint BSD based OS'. JE
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:11 PDT