OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Daniel Martin (dtmartin24HOME.COM)
Date: Fri Jan 19 2001 - 15:10:27 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    r4gn4r0k <r4gn4r0kTELUS.NET> writes:
    > anyone know the name(s) and/or a url to find the tool?
    >
    > may be one tool or family of tools derived from the same base code
    > (note the hand-crafted ID always = 39426 and the Advertised Window =
    > 0x404)
    >
    > I'm trying to correlate what I'm seeing on snort with what my
    > personal firwall is logging and I want to be able to generate the
    > traffic myself (tired of having to wait hours or days between random
    > tests to be farted out of the global sewer).

    <SYN+FIN scan snipped>

    This looks like synscan. I know, that's my answer to everything
    lately, but it does. The original synscan 1.6 code generates TCP
    packets with an IP ID number of 666 and a TCP window size of
    1028. (1028 == 0x404) The definitive answer, of course, would be if
    the SYN+FIN probe were immediately followed by a connection that
    simply grabbed the banner and then disconnected. (the original
    synscan then writes the banner information to a file and continues
    scanning)

    Now, as I had to hunt a slight bit to find out where in the source the
    TCP window was specified, whereas the ID number was in the source
    plain as day, it's likely that even the most C-programming-impared
    scriptie could change the ID number. Certainly, if I were looking at
    the source alone, not having had packets studied, and were trying to
    modify the program so as to not display the same signature as the
    original, I might miss the TCP window size but would definitely change
    the ID. (though I'd probably replace it with a randomly generated ID,
    but that's neither here nor there)

    synscan's source code used to be available from
    www.psychoid.lam3rz.de; however, it appears that that domain was
    removed from the DNS servers earlier this week, so search around for
    "synscan1.6.tar.gz" on google and you'll be able to find it.

    By the way, I was wrong recently on the list when I said that SYN+FIN
    followed by an immediate connection to get the banner was ramen
    wormsign. In fact, that's just synscan's behavior. (Note that the
    ramen worm has the potential to become the biggest user of the synscan
    tool). True ramen-worm sign would involve launching almost immediate
    attacks against RedHat systems after grabbing the banner. (wu-ftpd and
    rpc.statd exploits on 6.2 systems; LPRng attacks on RedHat 7 systems)