Home page logo
/

Nmap Announce mailing list archives

RE: Very cool scanning technique, nmap?
From: "J. Oquendo" <intrusion () engineer com>
Date: Mon, 31 Jul 2000 04:33:33 -0400 (EDT)

I recall tinkering with Packet Shell under Solaris which oddly enough is called "psh". Perhaps this was used to 
construct something in conjuction with nmap or some other scanner to implement a push flag. Packet Shell creates 
commands that allow you to create, modify, send, and receive packets on networks

http://playground.sun.com/pub/tcp-impl/psh/

Also be advised that whenever a SEND call is made PUSH (PSH) will come into play if I'm not mistaken.

/* snippet from RFC1122

When the PUSH flag is not implemented on SEND calls, i.e., when the application/TCP interface uses a pure streaming 
model, responsibility for aggregating an tiny data fragments to form reasonable sized segments is partially borne by 
the application layer. Generally, an interactive application protocol must set the PUSH flag at least in the last SEND 
call in each command or response sequence.  A bulk transfer protocol like FTP should set the PUSH flag on the last 
segment of a file or when necessary to prevent buffer deadlock.

At the receiver, the PSH bit forces buffered data to be delivered to the application (even if less than a full buffer 
has been received). Conversely, the lack of a PSH bit can be used to avoid unnecessary wakeup calls to the application 
process; this can be an important performance optimization for large timesharing hosts.

Passing the PSH bit to the receiving application allows an analogous optimization within the application.

END SNIPPET */

Being that FTP is mentioned in this doc any chance your running one of your honeypots indicating some sort of 
vulnerable ftp client running? If so could be someone constructed some sort of exploit and created a packet. Not the 
typical script kiddiot move but definitely worth looking in to.

FYI_STUFF
NetBSD had an issue regarding PSH flags
http://mail-index.netbsd.org/netbsd-bugs/1997/06/16/0003.html

Obecian has written a nice Packet Injection Suite that may offer something with the realms of PSH flags
http://celerity.bartoli.org

Yours truly,
J. Oquendo // sil () antioffline com // sil () deficiency org


------Original Message------
From: Lance Spitzner <lance () spitzner net>
To: nmap-hackers () insecure org
Sent: July 28, 2000 8:46:21 PM GMT
Subject: Very cool scanning technique, nmap?


Check this port scan out.  The guy is looking for open
ftp ports (21) on only two systems.  What makes this 
scanning technique so unique is that the tool tries 
a variety of different packet methods.   For example,
the first system he scans is .107 on port 21.  He tries
the following packet combos.

SYN/ACK
SYN
FIN
FIN/ACK
SYN/FYN
PSH

then repeat for system .101 on the same port, 21

Scanning guru's, any idea. nmap doesn't have this, does it?


07/19-08:28:04.572211 212.171.169.46:13921 -> 172.16.1.107:21
TCP TTL:239 TOS:0x0 ID:45258 
**S***A* Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
7F 40 00 00 00 00                                . ()     

07/19-08:28:04.580347 212.171.169.46:13920 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45257 
**S***** Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
4B 85 70 36 1D 0C                                K.p6..

07/19-08:28:04.594902 212.171.169.46:13922 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45259 
***F**** Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
30 FD 70 20 22 10                                0.p ".

07/19-08:28:04.615347 212.171.169.46:13923 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45260 
***F**A* Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
1B 8E 70 8D 68 6D                                ..p.hm

07/19-08:28:04.633463 212.171.169.46:13924 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45261 
**SF**** Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
51 D9 70 82 22 C6                                Q.p.".

07/19-08:28:04.655593 212.171.169.46:13925 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45262 
*****P** Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
CF C4 70 83 A1 88                                ..p...

07/19-08:28:04.674717 212.171.169.46:13926 -> 172.16.1.107:21
TCP TTL:238 TOS:0x0 ID:45263 
21S***** Seq: 0x3EEE7030   Ack: 0x0   Win: 0x1234
07 91 70 13 72 1A                                ..p.r.

07/19-08:28:07.564938 212.171.169.46:25218 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56555 
**S***** Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
6A C0 00 00 00 00                                j.....

07/19-08:28:07.575469 212.171.169.46:25219 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56556 
**S***A* Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
69 FE 9A 39 1A EE                                i..9..

07/19-08:28:07.593808 212.171.169.46:25220 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56557 
***F**** Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
92 D9 9A 64 D6 C2                                ...d..

07/19-08:28:07.615849 212.171.169.46:25221 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56558 
***F**A* Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
16 D2 9A 89 7C 9B                                ....|.

07/19-08:28:07.634785 212.171.169.46:25222 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56559 
**SF**** Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
75 44 9A 18 8D 07                                uD....

07/19-08:28:07.655469 212.171.169.46:25223 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56560 
*****P** Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
5E E0 9A 18 5E 11                                ^...^.

07/19-08:28:07.674845 212.171.169.46:25224 -> 172.16.1.101:21
TCP TTL:238 TOS:0x0 ID:56561 
21S***** Seq: 0x1D839A7F   Ack: 0x0   Win: 0x1234
52 DE 9A 07 23 31                                R...#1

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]