Security Incidents mailing list archives

Re: Guess the tool...

From: H C <keydet89 () yahoo com>
Date: Tue, 11 Sep 2001 09:07:22 -0700 (PDT)

Gary,

Let's see...FoundStone's fscan, SamSpade, etc, can all
be configured to do this.  Since all you're seeing are
the SYN packets, this could even be done using nmap on
NT/2K.  Or a Perl script.


--- "Portnoy, Gary" <gportnoy () belenosinc com> wrote:

Greetings,

Can anyone tell me which Windows tool is used to
scan for ports 139, 12345,
and 27374.  (Example below) This occurs often enough
that it makes me think
that it's a tool, I just can't find any mention of
it anywhere...

08/20-23:43:31.292516 0:2:4B:BC:B9:E0 ->
8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3204 -> MY.NET.165.25:27374 TCP
TTL:110 TOS:0x0 ID:21844
IpLen:20 DgmLen:48 DF
******S* Seq: 0x76F6E7F  Ack: 0x0  Win: 0x4000 
TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/20-23:43:31.292892 0:2:4B:BC:B9:E0 ->
8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3205 -> MY.NET.165.25:12345 TCP
TTL:110 TOS:0x0 ID:21845
IpLen:20 DgmLen:48 DF
******S* Seq: 0x77050F0  Ack: 0x0  Win: 0x4000 
TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/20-23:43:31.297448 0:2:4B:BC:B9:E0 ->
8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110
TOS:0x0 ID:21846
IpLen:20 DgmLen:48 DF
******S* Seq: 0x7713088  Ack: 0x0  Win: 0x4000 
TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/20-23:43:34.262887 0:2:4B:BC:B9:E0 ->
8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110
TOS:0x0 ID:23258
IpLen:20 DgmLen:48 DF
******S* Seq: 0x7713088  Ack: 0x0  Win: 0x4000 
TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/20-23:43:34.302197 0:2:4B:BC:B9:E0 ->
8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3204 -> MY.NET.165.25:27374 TCP
TTL:110 TOS:0x0 ID:23289
IpLen:20 DgmLen:48 DF
******S* Seq: 0x76F6E7F  Ack: 0x0  Win: 0x4000 
TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/20-23:44:06.193115 0:2:4B:BC:B9:E0 ->
8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3209 -> MY.NET.165.25:139 TCP TTL:110
TOS:0x0 ID:26960
IpLen:20 DgmLen:48 DF
******S* Seq: 0x7713088  Ack: 0x0  Win: 0x4000 
TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/20-23:44:06.340679 0:2:4B:BC:B9:E0 ->
8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3205 -> MY.NET.165.25:12345 TCP
TTL:110 TOS:0x0 ID:26997
IpLen:20 DgmLen:48 DF
******S* Seq: 0x77050F0  Ack: 0x0  Win: 0x4000 
TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/20-23:44:06.388758 0:2:4B:BC:B9:E0 ->
8:0:20:B8:F2:36 type:0x800 len:0x3E
209.69.154.168:3204 -> MY.NET.165.25:27374 TCP
TTL:110 TOS:0x0 ID:27009
IpLen:20 DgmLen:48 DF
******S* Seq: 0x76F6E7F  Ack: 0x0  Win: 0x4000 
TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D
E01A 2E89 9D2C

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management 
and tracking system please see:
http://aris.securityfocus.com



__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Guess the tool... Portnoy, Gary (Sep 11)
- Re: Guess the tool... H C (Sep 11)
- Re: Guess the tool... Paul Gear (Sep 11)
- <Possible follow-ups>
- RE: Guess the tool... Portnoy, Gary (Sep 12)