Bugtraq mailing list archives
Re: ACK/th_win portscanning
From: jerdfelt () SVENTECH COM (Johannes Erdfelt)
Date: Wed, 15 Sep 1999 20:02:32 -0400
On Wed, Sep 15, 1999, Lamont Granquist <lamontg () RAVEN GENOME WASHINGTON EDU> wrote:
I just posted a patch to nmap to the nmap-hackers list which impliments yet another "stealth" scan. This one sends out packets with only the ACK bit set and looks for responses that either have th_win set to some value (0x1000, 0x2000, 0x4000 typically) or th_win is clear. Fyodor went through the nmap-os-fingerprints file and found that it was easy to use that database to find systems which are vulnerable to these kinds of scans. Vulnerable systems of note include: Digital Unix 4.0X FreeBSD <=4.0 OpenBSD <=2.5. AIX <=4.3.2 (is this current?) Notable systems which are /NOT/ vulnerable include: Solaris (all?) IRIX 6.x HP-UX 11.0 Linux (all?)
This is probably one of the oldest stealth scanning techniques out there. In fact, the original (that I have found) email discussing this was back in December of 1995 (!) by Darren Reed: http://lists.gnac.net/firewalls/mhonarc/firewalls.9512/msg00089.html A little snippet: "When kernels based on BSD networking are targetted, a non-zero window is returned for sockets which are listening. This is due to them (a) having a non-zero window in the listening state and (b) a pointer, tp, being non-null when passed to tcp_close() to send the RST. In case (b), tp points to the listening socket. Looking at the above table, we can scan for active listening ports quite successfully, so long as we know what to expect back. In particular, using a SYN-ACK instead of a SYN seems particularly fruitful." In fact, this was the original email that got me started on writing sirc in which I used this exact technique to fingerprint BSD based OS'. JE
Current thread:
- ACK/th_win portscanning Lamont Granquist (Sep 15)
- cc:mail trivial DoS attack - self mailbombing. Alan Brown (Sep 15)
- Re: ACK/th_win portscanning Johannes Erdfelt (Sep 15)
- [security-officer () FreeBSD ORG: FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd REISSUED] Patrick Oonk (Sep 15)
- [security-officer () FreeBSD ORG: FreeBSD Security Advisory: FreeBSD-SA-99:04.core] Patrick Oonk (Sep 15)
- [security-officer () FreeBSD ORG: FreeBSD Security Advisory: FreeBSD-SA-99:05.fts] Patrick Oonk (Sep 15)
- SuSE Security Announcement - ProFTPD Marc Heuse (Sep 16)
- SuSE Security Announcement - lynx Marc Heuse (Sep 16)