More on Scanning techniques and handling them.

Mon, 04 Mar 2002 11:31:54 -0800 

Hi again,

i few days back we were discussion how to block nmap's XMAS, NULL, ...
scans.

The solutions work in a way that nmap doesn't reveal any open ports.

Unfortunatelly, replying with RST packets has its obvious disadvantages.

When using hping2, it detects those packets, and we can see that the host
is replying.

look at this:

firewall# iptables -A INPUT -p tcp -m unclean -j REJECT --reject-with \
      tcp-reset

attacker# nmap -sX -p 53 a.b.c.d

Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
The 1 scanned port on dns.toxicfilms.tv (a.b.c.d) is: closed

attacker# hping2 aaa.bbb.cc.dd
HPING aaa.bbb.cc.dd (eth1 aaa.bbb.cc.dd): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=aaa.bbb.cc.dd flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.8 ms
len=46 ip=aaa.bbb.cc.dd flags=RA DF seq=1 ttl=255 id=0 win=0 rtt=0.7 ms

firewall# iptables -F
firewall# iptables -A INPUT -m unclean -j DROP

attacker# nmap -sX -p 53 aaa.bbb.cc.dd

Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on dns.toxicfilms.tv (aaa.bbb.cc.dd):
Port       State       Service
53/tcp     open        domain

attacker# hping aaa.bbb.cc.dd
HPING aaa.bbb.cc.dd (eth1 aaa.bbb.cc.dd): NO FLAGS are set, 40 headers + 0 data bytes

--- 150.254.37.24 hping statistic ---
2 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms


So as you see, each approach seems to be vulnerable.
Unfortunately both of these packets are 40 bytes long. So there's now way
to differentiate between them (or am i wrong? maybe analyzing tcp or ip
headers in detail would give some suggestions?)

hping packet
20:18:49.960722 0:10:5a:28:2a:d4 0:50:da:41:eb:18 ip 60:
host1.com.1199 > host2.com.pop3: . [tcp sum ok] win 512
(ttl 64, id 61000, len 40)
                         4500 0028 ee48 0000 4006 1460 zzzz xxxx
                         aabb ccdd 04af 006e 39a5 a622 3962 43a9
                         5000 0200 d3cc 0000 0000 0000 0000

nmap XMAS packet

20:19:41.417953 0:10:5a:28:2a:d4 0:50:da:41:eb:18 ip 60:
host1.com.53345 > host2.com.pop3: FP [tcp sum ok] 0:0(0)
win 2048 urg 0 (ttl 49, id 10605, len 40)
                         4500 0028 296d 0000 3106 e83b zzzz xxxx
                         aabb ccdd d061 006e 0000 0000 0000 0000
                         5029 0800 5ec4 0000 0000 0000 0000


Is it unsolvable.
But most scans are generated with nmap. I hope.

Best Regards,
Maciej Soltysiak

Reply via email to