Nmap Announce mailing list archives
randomization of sequence numbers in nmap 2.03
From: HD Moore <hdmoore () usa net>
Date: Wed, 03 Feb 1999 13:18:28 -0600
An easy way to detect an nmap 2.03 syn scan is by looking through traffic for multiple packets with the same sequence number. A tcpdump output parsing script I wrote will dig all the syn's out of a traffic dump, hash them and compare by sequence number to find sets where the number of packets with the same sequence number is over a threshold. The quick-fix for nmap.c is attached, if anyone wants the script drop me a note. -HD
9,11d8 < /* rndsequence for pos / super_scan */ < unsigned long rndsequence = 0; < 391,393c388 < fatal("Could not figure out what device to send the packet out on with the source address you gave me! If you are trying to sp00f your scan, this is normal, just give the -e eth0 or -e ppp0 or whatever. Otherwise you can still use -e, but I find it < < kindof fishy."); ---
fatal("Could not figure out what device to send the packet out on with the source address you gave me! If you are trying to sp00f your scan, this is normal, just give the -e eth0 or -e ppp0 or whatever. Otherwise you can still use -e, but I find it kindof fishy.");
533,535c528 < fatal("Could not figure out what device to send the packet out on! You might possibly want to try -S (but this is probably a bigger problem). If you are trying to sp00f the source of a SYN/FIN scan with -S <fakeip>, then you must use -e eth0 (or ot < < her devicename) to tell us what interface to use.\n"); ---
fatal("Could not figure out what device to send the packet out on! You might possibly want to try -S (but this is probably a bigger problem). If you are trying to sp00f the source of a SYN/FIN scan with -S <fakeip>, then you must use -e eth0 (or other devicename) to tell us what interface to use.\n");
906,908c899 < sprintf(report, "TCP Sequence Prediction: Class=%s\n Difficulty=%d (%s)\n", seqclass2ascii(seq->class), seq->index, (seq->index < 10)? "Trivial joke" : (seq->index < 80)? "Easy" : (seq->index < 3000)? "Medium" : (seq->index < 5000 < < )? "Formidable" : (seq->index < 100000)? "Worthy challenge" : "Good luck!"); ---
sprintf(report, "TCP Sequence Prediction: Class=%s\n Difficulty=%d (%s)\n", seqclass2ascii(seq->class), seq->index, (seq->index < 10)? "Trivial joke" : (seq->index < 80)? "Easy" : (seq->index < 3000)? "Medium" : (seq->index < 5000)? "Formidable" : (seq->index < 100000)? "Worthy challenge" : "Good luck!");
1551c1542 < ---
1683,1684c1674 < else if (scantype != UDP_SCAN) { < rndsequence = rand() + rand(); ---
else if (scantype != UDP_SCAN)
1686,1688c1676,1677 < current->portno, rndsequence, 0, < scanflags, 0, NULL, 0, 0, 0); < } ---
current->portno, 0, 0, scanflags, 0, NULL, 0, 0, 0);
1710,1711c1699 < else if (scantype != UDP_SCAN) { < rndsequence = rand() + rand(); ---
else if (scantype != UDP_SCAN)
1713,1715c1701,1702 < current->portno, rndsequence, 0, scanflags, 0, NULL, 0, 0, 0); < } < else send_udp_raw(rawsd, &o.decoys[decoy], &target->host, o.magic_port, ---
current->portno, 0, 0, scanflags, 0, NULL, 0, 0, 0); else send_udp_raw(rawsd, &o.decoys[decoy], &target->host, o.magic_port,
2130d2116 < rndsequence = rand() + rand(); 2137c2123,2124 < current->portno, rndsequence, 0, scanflags, 0, NULL, 0,0, 0); } ---
current->portno, sequences[current->trynum], 0, scanflags, 0, NULL, 0,0, 0); }
2211d2197 < rndsequence = rand() + rand(); 2217,2218c2203,2205 < send_tcp_raw(rawsd, &o.decoys[decoy], &target->host, o.magic_port + tries * 3, current->portno, rndsequence, 0, scanflags, 0, NULL, 0, 0, 0); < if (senddelay) usleep(senddelay); } ---
send_tcp_raw(rawsd, &o.decoys[decoy], &target->host, o.magic_port + tries * 3, current->portno, sequences[current->trynum], 0, scanflags, 0, NULL, 0, 0, 0); if (senddelay) usleep(senddelay); }
Current thread:
- randomization of sequence numbers in nmap 2.03 HD Moore (Feb 03)
- Re: randomization of sequence numbers in nmap 2.03 ajax (Feb 03)