Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Joe Stewart (jstewartLURHQ.COM)
Date: Fri Jan 19 2001 - 11:44:54 CST
On Fri, 19 Jan 2001, you wrote:
> anyone know the name(s) and/or a url to find the tool?
> may be one tool or family of tools derived from the same base code (note
> the hand-crafted ID always = 39426 and the Advertised Window = 0x404)
These look like Synscan 1.6 packets. The seemingly random IP ID of 39426
is actually supposed to be 666, but the original author of the packet code
forgot to change his ip_id variable from host to network byte-order.
Also, although it has not been publicly released, Synscan 1.7 has been found
to be part of the latest (unreleased) t0rnkit, and its signature is pretty
much the same, except it sends SYN instead of SYN-FIN. I believe it is still
vulnerable to the attack I described before using a forged packet from
microsoft.de to shut down the listener.
Also, there is a format-string buffer overflow in the DNS banner checking
code which could potentially lead to a remote root exploit on the scanning
box, under certain circumstances.
-- Joe Stewart Information Security Analyst LURHQ Corporation jstewartlurhq.com