|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: RE: [snort] [**] SYN FIN Scan [**]
From: Ed Padin (epadin
wagweb.com)Date: Wed Mar 08 2000 - 12:00:25 CST
- Next message: Denis Ducamp: "Re: [snort] scan network for promiscuous mode"
- Previous message: Jerry Shenk: "RE: [snort] need Token Ring help"
- Maybe in reply to: Ed Padin: "[snort] [**] SYN FIN Scan [**]"
- Next in thread: Sean Murphy: "RE: [snort] [**] SYN FIN Scan [**]"
- Maybe reply: Ed Padin: "RE: [snort] [**] SYN FIN Scan [**]"
- Reply: Sean Murphy: "RE: [snort] [**] SYN FIN Scan [**]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>
>Definitely a Crafted Packet.
>
>The SYN+FIN will generate a reply whether the Port is
> opened or closed.
>
>When sending a SYN+FIN packet to a closed port (UNIX or
> Windows machines act the same) you receive a RST+ACK back.
>
>If this port is opened you'll get a SYN+ACK back.
>
>This gives an attacker 2 conclusions:
>
> 1. Host Detection - whether the machine is alive,
>because a reply
> will always be generated from an alive host.
> 2. Mapping the Port to see whether it is opened or
>closed upon the received
> reply.
Actually, I don't think that a firewalled machine will return anything. I
tried running a scan like this using nmap against my Linux ipfwadm'ed
machine and it ignored the packets. Please correct me if I am wrong.
- Next message: Denis Ducamp: "Re: [snort] scan network for promiscuous mode"
- Previous message: Jerry Shenk: "RE: [snort] need Token Ring help"
- Maybe in reply to: Ed Padin: "[snort] [**] SYN FIN Scan [**]"
- Next in thread: Sean Murphy: "RE: [snort] [**] SYN FIN Scan [**]"
- Maybe reply: Ed Padin: "RE: [snort] [**] SYN FIN Scan [**]"
- Reply: Sean Murphy: "RE: [snort] [**] SYN FIN Scan [**]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]