Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Scan of the Week continued

Scan of the Week continued

From: Lance Spitzner <lance_at_SPITZNER.NET>
Date: Sat, 3 Jun 2000 11:42:17 -0500

As several of you may know, I have started the
"Scan of the Week" program. Last week was the
second week of posting scan signatures. However,
we have not yet figured out the tool that created
the signatures, so I have kept them posted until
we (the security community) can figure it out.

Over the past two months various systems have
scanned my network for specific ports with the
following scan signature. The signatures are
similar enough for me to believe that the same
tool was used. For more info on both the
"Scan of the Week" program and the actual sigs.
http://www.enteract.com/~lspitz/papers.html

An example of the signatures (this case, scan for 111)

04/17-06:02:32.401307 195.116.152.104:0 -> 172.16.1.107:111
TCP TTL:228 TOS:0x0 ID:30976
**SF**** Seq: 0xCC410000 Ack: 0x0 Win: 0x200

04/17-06:02:32.402027 172.16.1.107:111 -> 195.116.152.104:0
TCP TTL:64 TOS:0x0 ID:6919 DF
**S***A* Seq: 0x77BA6506 Ack: 0xCC410001 Win: 0x7FB8
TCP Options => MSS: 536
00 00 ..

04/17-06:02:33.139528 195.116.152.104:0 -> 172.16.1.101:111
TCP TTL:238 TOS:0x0 ID:44926
****R*** Seq: 0xCC410001 Ack: 0x0 Win: 0x0

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Received on Jun 05 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos