Security Incidents mailing list archives
Re: syn+fin = stupid?
From: mgribov () KPLAB COM
Date: Mon, 31 Jul 2000 13:00:16 -0400
if you are looking for a good explanation/examples on OS detection, you can find it here http://www.insecure.org/nmap/nmap-fingerprinting-article.html max ----- Original Message ----- From: James Stevenson <mistral () stevenson zetnet co uk> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Saturday, July 29, 2000 7:55 PM Subject: Re: syn+fin = stupid?
Hi this is used as a method of OS detection some OS's will sned back funny combinations of flags on the packets when this is done cant remember where this list is now :( cya James In local.incidents-list, you wrote:I just noticed that a box in korea (210.223.100.97) checked port 21 and port 53 one day. He/she checked port 21 twice (approx. 2 hours apart) and port 53 three times (also approx. 2 hours apart). Both were closed all day, and have never been open on that IP, ever. I just have one question: Why syn+fin? Isn't syn+fin something that will NEVER turn up in legit traffic? It sticks out like nothing else (well, few other things anyway).-- --------------------------------------------- Check Out: http://www.users.zetnet.co.uk/james/ E-Mail: mistral () stevenson zetnet co uk 11:50pm up 12 days, 10:12, 7 users, load average: 0.23, 0.60, 0.61
Current thread:
- Re: syn+fin = stupid? mgribov (Aug 01)