port 0 scanning

[lamontg () HITL WASHINGTON EDU (Lamont Granquist)]

-----BEGIN PGP SIGNED MESSAGE-----


We just recently got hit by a bunch of port 0 scans of IMAP.  A sample
packet dumped from tcpdump looks like this:

08:59:26.428386 195.2.130.209.0 > chocolate.hitl.washington.edu.imap: SF
973406208:973406208(0) win 512
         4500 0028 5f02 0000 e906 621b c302 82d1  E..(_...i.b.C..Q
         805f 4a7f 0000 008f 3a05 0000 0000 0000  ._J.....:.......
         5003 0200 629b 0000 0000 0000 0000       P...b.........

Note that both the source port is zero, and they've turned on both TH_SYN
and TH_FIN on the packet.  Both of these are undoubtably in an attempt
to bypass a firewall.  It shoudl also be noted that the attacker
probably downloaded DNS records and fed those into the probe script.

On every IP stack I've checked (except for this strange DEClaser 3200
printer), the SYN+FIN scan is equivalent to a SYN scan (aka "probe" aka
"half-open scan").  In general a SYN packet can have any of FIN, PSH or
URG flags turned on as long as ACK and RST are turned off and IP stacks
will typically respond to them as a SYN packet (at least for the purposes
of initial handshaking).  Major exception to this is Solaris (2.5.1 and
2.6) where turning on URG will cause packets to open ports to be dropped,
but SYN + [FIN] + [PSH] will otherwise work.

Uriel Maimon (Phrack P49-15) FIN scan behavior (close port = RST, open
port = dropped) can also be seen with the PSH, URG or simply with a TCP
packet with no flags (and all 8 permutations of FIN|PSH|URG).  Generally
the machines that FIN scanning does not work against (IRIX, Win95/WinNT,
HP-UX) are not vulnerable to any of these alternative forms of scanning.

The only remaining oddity i've found is HP-UX which allows for an 'ACK'
scan (ACK + anything other than RST) which returns a different value of
th_win depending on if the recieving port is open or closed.

While most TCP/IP stacks are pretty similar (either 'FIN-scannable' or
'not-FIN-scannable') for the purposes of scanning, you can get a lot of
information on what kind of OS the machine might be by looking at the
returned packets from going through all the different 64 combinations of
TCP/IP flags (c.f 'active probing', Comer+Lin, etc.).

I've got a short bit of code at:

http://www.hitl.washington.edu/people/lamontg/tft.c

Which will 'excersize' a target machine's TCP stack and report back
possible flag combinations that might be useful to use to scan the machine
for open or closed ports.

- --
Lamont Granquist <lamontg () hitl washington edu> (206)616-1469 fax:(206)543-5380
Human Interface Technology Lab.  University of Washington.  Seattle, WA
PGP pubkey: finger -l lamontg () hitl washington edu | pgp -fka

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNaMc6yGfPhFbK8mBAQFAIwQAoBzieXcJeFIlvx6ipSlpJverQCGsnMcf
N8eT3zM5LeAjP0xEPSIsfIFSw5xwqzZNgxABT2bw1w7iA4rKP4KW8XWuYm00V7cA
PQQd5nyJa9yb1Uzj3Kfa4Jh/8Ssp3On5qT9UsfkkFFgVm/DcY39h5O+y3Hv8WB1E
rbIXMKd5eeg=
=qdti
-----END PGP SIGNATURE-----