Re: [logs] Log Analysis of Scanning

From: Fabio Pietrosanti (naif) (naifat_private)
Date: Fri Jul 19 2002 - 05:35:22 PDT

Next message: Lubomir.Nistorat_private: "AW: [logs] Security Monitoring software customization limit?"

Previous message: Marcus J. Ranum: "Re: [logs] Security Monitoring software customization limit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I forwarded the message to vecnaat_private, the author of vecna scan, and he
asked me to reply to the list with his response ( i'm feeling a proxy :P ):

---- Message coming from vecna --- END

VECNA scans is under the family of the "negation scan", when I've discovered
it, they appears more stealth because unknow and unlogged from any kind
of IDS/tcplogger.

it work how the FIN and FULLXMAS scan, FIN scan is made with tcp packets
sent with FIN flag set, FULLXMAS is made with URG+PUSH+FIN flag.

using one of this siungular flag reproduce the some thing.
URG, URG + FIN, PUSH + URG, PUSH + FIN, PUSH, always, if sent on closed
port reply with RST+ACK, if sent to open port don't reply.

the negation scan is make on very difficult if applied on host with
BSD sysctl protection called "tcpudp blackhole" because this options block
any RST+ACK reply from closed port. any VECNA/FIN/FULLXMAS packets sent
wait timeout and port appears open.

In addiction, on november 99, I don't speack about SYN+URG SYN+FIN SYN+PUSH
variant of SYN scan, usually any packets with SYN flag is logged, but,
some tcplogger check if other flags is unset, and on this case don't log
the packets (!?).

this scan could be used three years ago, now him unknowledge don't not
exist, using VECNA or other negation scan is the some thing.

In addiction only nmap 2.12 support my old patch, fyodor never want
put this patch as "official".

bye,
vecna
vecnaat_private
---- Message coming from vecna --- END

Cheers :)

On Thu, May 30, 2002 at 05:54:50PM -0700, Ganu Skop wrote:
> Hi There
> Anyone knows a good pointer of these type of scan ?
> INVALIDACK
> FULLXMAS
> VECNA

-- 

Fabio Pietrosanti ( naif )
E-mail: naifat_private - naifat_private
PGP Key (DSS) http://naif.itapac.net/naif.asc
--
 "Hacking is the future of security research" R.Power, CSI 
Free advertising: www.openbsd.org Multiplatform Ultra-secure OS

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Lubomir.Nistorat_private: "AW: [logs] Security Monitoring software customization limit?"
Previous message: Marcus J. Ranum: "Re: [logs] Security Monitoring software customization limit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 06:19:53 PDT