On Mon, May 22, 2000 at 08:25:19AM -0500, Lance Spitzner wrote:
> Recently my network was scanned. I do not think
> this was nmap. If not, does anyone have any
> idea which tools this was?
I have no idea which "scanner" it is but I couldn't use such paquets to scan
a host. Tried against linux 2.2.13 and WinNT4SP5 but none of them replied. I
don't think that it's a port scanner.
Here are tests with hping as a traceroute program :
# hping -F -R -P -s 31337 -k -p <open port> -T -t 1 <server>
...
10->TTL 0 during transit from A.B.C.D (...)
11->TTL 0 during transit from E.F.G.H (...)
12->TTL 0 during transit from I.J.K.L (...)
# hping -F -R -P -s 31337 -k -p <closed port> -T -t 1 <server>
...
10->TTL 0 during transit from A.B.C.D (...)
11->TTL 0 during transit from E.F.G.H (...)
They stop at different places so that seems to be a paquet filter test.
> 05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1
> TCP TTL:44 TOS:0x10 ID:242
> ***FRP** Seq: 0xA1D95 Ack: 0x53 Win: 0x400
Snort is a great tool too ;-)
Denis Ducamp.
--
Denis.Ducamp@hsc.fr -- Hervé Schauer Consultants -- http://www.hsc.fr/
Received on May 22 2000
Intro
