Nmap Announce mailing list archives
RE: Very cool scanning technique, nmap?
From: "J. Oquendo" <intrusion () engineer com>
Date: Mon, 31 Jul 2000 04:33:33 -0400 (EDT)
I recall tinkering with Packet Shell under Solaris which oddly enough is called "psh". Perhaps this was used to construct something in conjuction with nmap or some other scanner to implement a push flag. Packet Shell creates commands that allow you to create, modify, send, and receive packets on networks http://playground.sun.com/pub/tcp-impl/psh/ Also be advised that whenever a SEND call is made PUSH (PSH) will come into play if I'm not mistaken. /* snippet from RFC1122 When the PUSH flag is not implemented on SEND calls, i.e., when the application/TCP interface uses a pure streaming model, responsibility for aggregating an tiny data fragments to form reasonable sized segments is partially borne by the application layer. Generally, an interactive application protocol must set the PUSH flag at least in the last SEND call in each command or response sequence. A bulk transfer protocol like FTP should set the PUSH flag on the last segment of a file or when necessary to prevent buffer deadlock. At the receiver, the PSH bit forces buffered data to be delivered to the application (even if less than a full buffer has been received). Conversely, the lack of a PSH bit can be used to avoid unnecessary wakeup calls to the application process; this can be an important performance optimization for large timesharing hosts. Passing the PSH bit to the receiving application allows an analogous optimization within the application. END SNIPPET */ Being that FTP is mentioned in this doc any chance your running one of your honeypots indicating some sort of vulnerable ftp client running? If so could be someone constructed some sort of exploit and created a packet. Not the typical script kiddiot move but definitely worth looking in to. FYI_STUFF NetBSD had an issue regarding PSH flags http://mail-index.netbsd.org/netbsd-bugs/1997/06/16/0003.html Obecian has written a nice Packet Injection Suite that may offer something with the realms of PSH flags http://celerity.bartoli.org Yours truly, J. Oquendo // sil () antioffline com // sil () deficiency org ------Original Message------ From: Lance Spitzner <lance () spitzner net> To: nmap-hackers () insecure org Sent: July 28, 2000 8:46:21 PM GMT Subject: Very cool scanning technique, nmap? Check this port scan out. The guy is looking for open ftp ports (21) on only two systems. What makes this scanning technique so unique is that the tool tries a variety of different packet methods. For example, the first system he scans is .107 on port 21. He tries the following packet combos. SYN/ACK SYN FIN FIN/ACK SYN/FYN PSH then repeat for system .101 on the same port, 21 Scanning guru's, any idea. nmap doesn't have this, does it? 07/19-08:28:04.572211 212.171.169.46:13921 -> 172.16.1.107:21 TCP TTL:239 TOS:0x0 ID:45258 **S***A* Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 7F 40 00 00 00 00 .@.... 07/19-08:28:04.580347 212.171.169.46:13920 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45257 **S***** Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 4B 85 70 36 1D 0C K.p6.. 07/19-08:28:04.594902 212.171.169.46:13922 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45259 ***F**** Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 30 FD 70 20 22 10 0.p ". 07/19-08:28:04.615347 212.171.169.46:13923 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45260 ***F**A* Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 1B 8E 70 8D 68 6D ..p.hm 07/19-08:28:04.633463 212.171.169.46:13924 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45261 **SF**** Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 51 D9 70 82 22 C6 Q.p.". 07/19-08:28:04.655593 212.171.169.46:13925 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45262 *****P** Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 CF C4 70 83 A1 88 ..p... 07/19-08:28:04.674717 212.171.169.46:13926 -> 172.16.1.107:21 TCP TTL:238 TOS:0x0 ID:45263 21S***** Seq: 0x3EEE7030 Ack: 0x0 Win: 0x1234 07 91 70 13 72 1A ..p.r. 07/19-08:28:07.564938 212.171.169.46:25218 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56555 **S***** Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 6A C0 00 00 00 00 j..... 07/19-08:28:07.575469 212.171.169.46:25219 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56556 **S***A* Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 69 FE 9A 39 1A EE i..9.. 07/19-08:28:07.593808 212.171.169.46:25220 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56557 ***F**** Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 92 D9 9A 64 D6 C2 ...d.. 07/19-08:28:07.615849 212.171.169.46:25221 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56558 ***F**A* Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 16 D2 9A 89 7C 9B ....|. 07/19-08:28:07.634785 212.171.169.46:25222 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56559 **SF**** Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 75 44 9A 18 8D 07 uD.... 07/19-08:28:07.655469 212.171.169.46:25223 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56560 *****P** Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 5E E0 9A 18 5E 11 ^...^. 07/19-08:28:07.674845 212.171.169.46:25224 -> 172.16.1.101:21 TCP TTL:238 TOS:0x0 ID:56561 21S***** Seq: 0x1D839A7F Ack: 0x0 Win: 0x1234 52 DE 9A 07 23 31 R...#1 Lance Spitzner http://www.enteract.com/~lspitz/papers.html -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org). ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Very cool scanning technique, nmap? Lance Spitzner (Jul 30)
- Re: Very cool scanning technique, nmap? Mikael Olsson (Jul 31)
- <Possible follow-ups>
- RE: Very cool scanning technique, nmap? J. Oquendo (Jul 31)
- Re: Very cool scanning technique, nmap? Toby Miller (Jul 31)