Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: fast ssh scans
From: Daniel Martin <dtmartin24 () home com>
Date: 18 Oct 2001 12:33:36 -0400
Can Erkin Acar <canacar () eee metu edu tr> writes:


Oct 16 19:54:25.228427 XXX.XXX.XXX.XXX.22 > YYY.YYY.YYY.YYY.22: SF [tcp sum ok] 415795998:415795998(0) win 1028 (ttl 
27, id 39426)
Oct 16 19:54:26.573878 XXX.XXX.XXX.XXX.1845 > YYY.YYY.YYY.YYY.22: S [tcp sum ok] 4137188806:4137188806(0) win 32120 
<mss 1460,sackOK,timestamp 164825588 0,nop,wscale 0> (DF) (ttl 49, id 30236)

* SSH log of the same machine: Shows that the second probe was a real
  connection (not a SYN scan). It is probably used to collect version
  information from the server. I believe it is NOT scanssh since scanssh
  does send a version string.

Oct 16 19:54:27 hostname sshd[3247]: Did not receive identification string from 209.26.178.170.

It looks like a custom tool looking for vulnerable sshd versions.
Has anyone encountered something similiar?


It looks like a synscan variant.  synscan's C source code is designed
so that it's easy to take the general framework (SF scan of an IP
range, followed by a fork() that does a regular connect to the port)
and plug in custom strings to look for in the connect message.  The
pattern I've seen before (the ramen worm worked this way) was that
synscan would write vulnerable IP addresses to a file, and then some
separate exploit program would then be run against each IP in that
file.  (The ramen worm had a driver script that ran a loop with "tail
-f" on the output file so that it could attempt to break into machines
while synscan was still scanning)

Telltale signs of a synscan variant: 
- SYN+FIN scan followed by an almost immediate regular SYN to open
  hosts.  (Doesn't this rather defeat the point of running a SYN+FIN
  scan in the first place?  Isn't it the point of a SYN+FIN scan to
  avoid being detected by those hosts that aren't running a firewall
  but do log regular connections to open ports?)
- IP id 39426 (This is what you get when your source code says 
        ip->id = 666;
  and you compile on a little-endian machine, like intel-based linux
  boxes) on the SYN+FIN scan
- Source port == Destination port (again, on the SYN+FIN scan - the
  synscan program uses this to distinguish FIN responses from open
  scanned machines from other unrelated incoming FIN packets)

So as for the tool used, it's synscan; however, this doesn't tell you
which ssh versions they were looking for nor which tool they would run
against your machines had they found a vulnerable box.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
  • fast ssh scans Can Erkin Acar (Oct 18)
    • Re: fast ssh scans Daniel Martin (Oct 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]