RE: Strange TCP headers

From: Benjamin Tomhave (falconat_private)
Date: Sat May 11 2002 - 10:30:13 PDT

  • Next message: Bukys, Liudvikas: "Windows Systems Defaced/destroyed, plus Port 3389 attacks"

    I remember seeing an announcement on the nmap list a couple weeks ago for a
    different OS fingerprinting technique (there was some discussion as to
    whether or not this was actually a new approach).  They say that they use
    SYN packets in their testing.  Has anybody tested this tool against their
    firewall or IDS to see how the scans show up?
    
    Here's the original announcement (with corrected links) on this "new" OS
    fingerprinting technique...
    
    -----Original Message-----
    From: Franck Veysset [mailto:franck.veyssetat_private]
    Sent: Wednesday, April 17, 2002 11:25 AM
    To: pen-testat_private
    Cc: ringat_private
    Subject: OS fingerprinting technique
    
    
    Carefully studying the way TCP works, especially some timer value
    inside the TCP stack, we have derived on a new technique for remote OS
    detection, based on temporal response analysis.
    
    The idea is quite simple: send a TCP SYN packet to an open port on a
    remote system, and listen the different answers (usually successive
    SYN/ACK packets). By measuring the number of response, the delay
    between retries, and the optional presence of a "RST" packet after a
    few answers, we can easily recognize some operating systems.
    The nice thing is that it only required to send one packet on an open
    TCP port, which make this method really quiet.
    
    As a proof of concept, we also developed a standalone tool "RING"
    that will perform these testings and identifications, using a signature
    file.
    
    More information is available at:
    http://www.intranode.com/site/techno/techno_articles.htm
    
    The open source tool can be downloaded from:
    http://www.intranode.com/pdf/techno/ring-0.0.1.tar.gz
    
    The full, 13 pages, white paper is available at:
    http://www.intranode.com/pdf/techno/ring-full-paper.pdf
    
    We will be very happy to get your feedback on this technique.
    Feel free to contact us at: ringat_private
    
    Thanks,
    
    -Franck
    --
    Franck Veysset    --   http://www.INTRANODE.com
           Intranode Software Technologies
    
    It is always possible to aglutenate multiple separate
    problems into a single complex interdependent solution.
    In most cases this is a bad idea. (RFC 1925)
    
    
    -----Original Message-----
    From: Michel Arboi [mailto:arboiat_private]
    Sent: Saturday, May 11, 2002 1:33 AM
    To: pbsarnacat_private; incidentsat_private
    Subject: Re: Strange TCP headers
    
    
     --- pbsarnacat_private a écrit :
    > The interesting thing is that a majority of the scans are originating
    > from port 6346, which snort.org informs me is the gnutella server
    > port.
    
    I suspect that your Pix is not decoding those packets (or fragments)
    correctly.
    If this is a new scanning technique, I hardly understand its use. Some
    kind of fingerprinting maybe? They would use the 6346 port because it
    might be unfiltered (on personal firewall at least), just like some
    people used the 20 (FTP data) port to go through stupid stateless
    filters.
    
    > All those I've verified that at least
    > two of the clients that these packets were directed to were running
    > various file-sharing clients.
    
    So I'd rather bet for
    1. an artefact created by the Cisco
    2. some data corruption (bad phone line, deffective modem, whatever)
    3. some IP layer bug
    
    
    ___________________________________________________________
    Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
    Yahoo! Mail : http://fr.mail.yahoo.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sat May 11 2002 - 11:07:33 PDT