Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Help understanding a trace of an nmap scan

from [Sebastian Garcia] Network Security [Permanent Link]
Subject: Re: Help understanding a trace of an nmap scan
Date: Fri, 11 Feb 2005 12:02:27 -0900 
Hi Richard, 

Be careful with your terminal!, you disclosed a public ip address in
your nmap output. 

I don't know exactly why this is happening, here is my 2 cents analisys.

I think there are 2 diferent classes of nmap RSTs in your trace.

Your First RST

14:16:23.438150 host.name.deleted.1073 > other.host.name.daytime: R
1:1(0) ack 1 win 5840 <nop,nop,timestamp 51097217 138541011> (DF)


This packet is nmap trying to be nice with the other host. It's closing
the conection so the other tcp/ip stack stops waiting for further data.

Your first recived Push

14:16:23.448150 other.host.name.daytime > host.name.deleted.1073: P
1:27(26) ack 1 win 5792 <nop,nop,timestamp 138541012 51097217> (DF)


This is how daytime service works. It automatically sends you the
requested information.

After this, daytime FINishes the connection sending you a FIN packet.
Nmap should honours the FIN handshake sending an ACK, BUT your nmap
didn't send it.


In your first RST, nmap is using a socket connection. So we can see a
5840 byte window and ip optins with timestamp. (Also you can confirm
that this packet is related to the SYN/ACK packet because it has the
correct "138541011" SYN/ACK timestamp on it).

BUT second and third RST packets, are nmap crafted packets. They doesn't
belong to a socket connection. They have a 0 byte window and no ip
options. 

Your Second RST

14:16:23.448150 host.name.deleted.1073 > other.host.name.daytime: R
2950063923:2950063923(0) win 0 (DF)


We can be sure that this RST packets belong to this scan looking at
packet capture time.

We see a first burst of packets with capture time "14:16:23.428150",
then, one second later, daytime sends the data and nmap responds with a
second burst of packets with capture time "14:16:23.448150".
Although it's very unlikely to respond so quickly, i believe is a matter
of time configuration in the tcpdump host.




In a clean nmap scan to port 13, connect scan. We should see something
like this.

10:48:49.130733 IP yy.yy.yy.yy.40771 > xx.xx.xx.xx.13: S
1611027253:1611027253(0) win 5840 <mss 1460,sackOK,timestamp 171762977
0,nop,wscale 0>
10:48:49.130970 IP xx.xx.xx.xx.13 > yy.yy.yy.yy.40771: S
1131021469:1131021469(0) ack 1611027254 win 5792 <mss
1460,sackOK,timestamp 76453060 171762977,nop,wscale 2>
10:48:49.131014 IP yy.yy.yy.yy.40771 > xx.xx.xx.xx.13: . ack 1 win 5840
<nop,nop,timestamp 171762977 76453060>
10:48:49.132197 IP xx.xx.xx.xx.13 > yy.yy.yy.yy.40771: P 1:27(26) ack 1
win 1448 <nop,nop,timestamp 76453061 171762977>
10:48:49.132265 IP yy.yy.yy.yy.40771 > xx.xx.xx.xx.13: . ack 27 win 5840
<nop,nop,timestamp 171762979 76453061>
10:48:49.132271 IP xx.xx.xx.xx.13 > yy.yy.yy.yy.40771: F 27:27(0) ack 1
win 1448 <nop,nop,timestamp 76453061 171762977>
10:48:49.172272 IP yy.yy.yy.yy.40771 > xx.xx.xx.xx.13: . ack 28 win 5840
<nop,nop,timestamp 171763019 76453061>
10:48:49.238035 IP yy.yy.yy.yy.40771 > xx.xx.xx.xx: R 1:1(0) ack 28 win
5840 <nop,nop,timestamp 171763084 76453061>

Note the changeing times.


Cheers.

Sebastian Garcia




On Mon, 2004-09-06 at 15:11 +0100, Richard Moore wrote:

I wonder if anyone can help me make sense of this packet trace. It shows 
nmap runing a connect scan against port 13 of a host. The part I don't
understand is why there are 3 RST packets sent to the target machine?

If it helps anyone the target host is a Debian box running 2.4.26 Linux 
kernel and the source machine was a RedHat box running 2.4.7-10. The
version of nmap used is 3.48.

Cheers

Rich.
plain text document attachment (nmap-dump)
14:16:23.098150 host.name.deleted > other.host.name: icmp: echo request
14:16:23.108150 host.name.deleted.45639 > other.host.name.http: . ack 
901588830 win 1024
14:16:23.108150 other.host.name > host.name.deleted: icmp: echo reply
14:16:23.108150 other.host.name.http > host.name.deleted.45639: R 
901588830:901588830(0) win 0 (DF)
14:16:23.428150 host.name.deleted.1073 > other.host.name.daytime: S 
2950063922:2950063922(0) win 5840 <mss 1460,sackOK,timestamp 51097216 
0,nop,wscale 0> (DF)
14:16:23.438150 other.host.name.daytime > host.name.deleted.1073: S 
1866105343:1866105343(0) ack 2950063923 win 5792 <mss 1460,sackOK,timestamp 
138541011 51097216,nop,wscale 0> (DF)
14:16:23.438150 host.name.deleted.1073 > other.host.name.daytime: . ack 1 win 
5840 <nop,nop,timestamp 51097217 138541011> (DF)
14:16:23.438150 host.name.deleted.1073 > other.host.name.daytime: R 1:1(0) 
ack 1 win 5840 <nop,nop,timestamp 51097217 138541011> (DF)
Interesting ports on other.host.name (194.153.168.235):
14:16:23.448150 other.host.name.daytime > host.name.deleted.1073: P 1:27(26) 
ack 1 win 5792 <nop,nop,timestamp 138541012 51097217> (DF)
14:16:23.448150 host.name.deleted.1073 > other.host.name.daytime: R 
2950063923:2950063923(0) win 0 (DF)
14:16:23.448150 other.host.name.daytime > host.name.deleted.1073: F 27:27(0) 
ack 1 win 5792 <nop,nop,timestamp 138541012 51097217> (DF)
14:16:23.448150 host.name.deleted.1073 > other.host.name.daytime: R 
2950063923:2950063923(0) win 0 (DF)

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

-- 
Sebastian Garcia
Div. Seguridad Informática
DINFO - CITEFA
San Juan B. de La Salle 4397 
B1603ALO Villa Martelli - Pcia. Bs. As.
Tel: (54-11) 4709-8289 
e-mail: sgarcia@citefa.gov.ar - www.citefa.gov.ar/si6
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x4305E810
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: Help understanding a trace of an nmap scan, Sebastian Garcia <=
Previous by Date:  RE: Data Mining for PIX Firewall Logs, Todd Towles
Next by Date:  RE : Data Mining for PIX Firewall Logs, MARTEAU Jean-Louis
Previous by Thread:  Betr.: WHERE DO YOU KEEP YOUR EXPLOIT ARCHIVE AND DATABASE, Philip Wagenaar
Next by Thread:  RE : Data Mining for PIX Firewall Logs, MARTEAU Jean-Louis
Indexes:  [Date] [Thread] [Top] [All Lists]