Home page logo
/

nmap-dev logo Nmap Development mailing list archives

ACK Scans
From: Triple Crown <triplecrown () optonline net>
Date: Fri, 23 May 2003 12:21:34 -0400

I'm researching some snort archived files from last year and have keyed on
some detects triggered by this snort rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP";flags:A;ack:0;
reference:arachnids,28; classtype:attempted-recon; sid:628; rev:1;)

I've tried to reproduce the scan with nmap of sending a lone ACK flag with an acknowlegement number of 0 without any success.

A google search lead me to this:
http://archives.neohapsis.com/archives/snort/2000-08/0163.html

Apparently there was a bug in an older version of nmap that would produce this type of scan. The date on the posts from the above URL suggest that the bug existed a few
years back.

Does anyone know if it is possible to reproduce this scan with nmap without the older version ? All of my testing with -PT or -sA resulted in what appears to be random
ACK numbers

On a side note -
It may just be my ignorance of using the -PT flag properly but I found you can't do a -PT80 as suggested in the man pages to scan port 80, but by adding -p80 it
works properly.

Any help is appreciated.....




---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]