Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: AW: usual iploggers miss some variable stealth scans

AW: usual iploggers miss some variable stealth scans

From: Tobi <tklein2_at_IX.URZ.UNI-HEIDELBERG.DE>
Date: Tue, 18 Jan 2000 15:21:24 +0100

well, I tried your nmap-patch and must say that my scanlogd detects all of
the stealth scans you mentioned in your posting.

bye
Tobi

-----Ursprüngliche Nachricht-----
Von: Bugtraq List [mailto:BUGTRAQ_at_SECURITYFOCUS.COM]Im Auftrag von vecna
Gesendet: Montag, 17. Januar 2000 20:26
An: BUGTRAQ_at_SECURITYFOCUS.COM
Betreff: usual iploggers miss some variable stealth scans

in November`99 more or less... i've discovered 5 type of new stealth scan,
with the modification of flags used normally on XMAS stealth scan.

the five type of packets that can be used for stealth scanning, and isn't
logged from the normal tcplogd/scanlogger have this flag:
URG
PUSH
URG+FIN
PUSH+FIN
URG+PUSH

this flag on packet, such FIN, XMAS (fin+urg+psh), and NULL scan (no one
flag set) cause the reply RST+ACK if port is closed, and no reply if
port is open. this is efective only against *nix system

i don't think that is an important tecnical notice... but most tcp logger
must be upgraded/reconfigurated.

i've coded patch for nmap-2.12, check http://vecna.unix.kg

Bye.
vecna
Received on Jan 18 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos