Security Incidents mailing list archives
Re: any idea of the kiddie-script tool crafting these SYN-FIN packets to user selectable destination ports
From: Joe Stewart <jstewart () LURHQ COM>
Date: Fri, 19 Jan 2001 12:44:54 -0500
On Fri, 19 Jan 2001, you wrote:
anyone know the name(s) and/or a url to find the tool? may be one tool or family of tools derived from the same base code (note the hand-crafted ID always = 39426 and the Advertised Window = 0x404)
These look like Synscan 1.6 packets. The seemingly random IP ID of 39426 is actually supposed to be 666, but the original author of the packet code forgot to change his ip_id variable from host to network byte-order. Also, although it has not been publicly released, Synscan 1.7 has been found to be part of the latest (unreleased) t0rnkit, and its signature is pretty much the same, except it sends SYN instead of SYN-FIN. I believe it is still vulnerable to the attack I described before using a forged packet from microsoft.de to shut down the listener. Also, there is a format-string buffer overflow in the DNS banner checking code which could potentially lead to a remote root exploit on the scanning box, under certain circumstances. -Joe -- Joe Stewart Information Security Analyst LURHQ Corporation jstewart () lurhq com
Current thread:
- any idea of the kiddie-script tool crafting these SYN-FIN packets to user selectable destination ports r4gn4r0k (Jan 19)
- Re: any idea of the kiddie-script tool crafting these SYN-FIN packets to user selectable destination ports Joe Stewart (Jan 19)
- Re: any idea of the kiddie-script tool crafting these SYN-FIN packetsto user selectable destination ports Jan Muenther (Jan 19)