Re: ACK/th_win portscanning

[jerdfelt () SVENTECH COM (Johannes Erdfelt)]

On Wed, Sep 15, 1999, Lamont Granquist <lamontg () RAVEN GENOME WASHINGTON EDU> wrote:
> I just posted a patch to nmap to the nmap-hackers list which impliments
> yet another "stealth" scan.  This one sends out packets with only the ACK
> bit set and looks for responses that either have th_win set to some value
> (0x1000, 0x2000, 0x4000 typically) or th_win is clear.  Fyodor went
> through the nmap-os-fingerprints file and found that it was easy to use
> that database to find systems which are vulnerable to these kinds of
> scans.
>
> Vulnerable systems of note include:
> Digital Unix 4.0X
> FreeBSD <=4.0
> OpenBSD <=2.5.
> AIX <=4.3.2 (is this current?)
>
> Notable systems which are /NOT/ vulnerable include:
> Solaris (all?)
> IRIX 6.x
> HP-UX 11.0
> Linux (all?)

This is probably one of the oldest stealth scanning techniques out
there. In fact, the original (that I have found) email discussing this
was back in December of 1995 (!) by Darren Reed:

http://lists.gnac.net/firewalls/mhonarc/firewalls.9512/msg00089.html

A little snippet:

"When kernels based on BSD networking are targetted, a non-zero window is
returned for sockets which are listening.  This is due to them (a) having a
non-zero window in the listening state and (b) a pointer, tp, being non-null
when passed to tcp_close() to send the RST.  In case (b), tp points to the
listening socket.

Looking at the above table, we can scan for active listening ports quite
successfully, so long as we know what to expect back.  In particular,
using a SYN-ACK instead of a SYN seems particularly fruitful."

In fact, this was the original email that got me started on writing sirc
in which I used this exact technique to fingerprint BSD based OS'.

JE