[Snort-users] Snort and Random ACK Scans

Daniel van Balen vdaniel at ...191...
Fri Aug 11 03:08:43 EDT 2000


On Thu, Aug 10, 2000 at 05:30:35PM -0700, Fyodor wrote:
> On Thu, 10 Aug 2000, Daniel van Balen wrote:
> 
> > 	But there seems to be a bug in nmap... If you don't give it the "-v"
> > option, nmap will send ACK packets with random looking sequence numbers but
> > *with ack=0* which will be detected by the "NMAP TCP PING" rule.
> 
> I cannot reproduce this.  What version of Nmap are you using?
> 
> I just tried 'nmap -P0 -sA -p22-25 -n 192.168.0.4' and watched the output
> of 'tcpdump -v -n "dst host 192.168.0.4"':
> 
> I don't see any zero ACKs.  If you can reproduce the zero ACKs, please
> send me more information (Nmap version, command line used, preferably a
> tcpdump trace, etc).
> 

	I've got nmap installed via rpm: "nmap-2.53-1".

Here goes:

With nmap -v -p23-25 -sA 10.8.8.110 

tcpdump -v -n "dst host 10.8.8.110 and port not 22" gives:

10:18:32.529384 eth0 < 10.8.8.33 > 10.8.8.110: icmp: echo request (ttl 57, id
30858)
10:18:32.529739 eth0 < 10.8.8.33.34459 > 10.8.8.110.www: .
2762473475:2762473475(0) ack 1449572651 win 1024 (ttl 56, id 60467)
10:18:32.923148 eth0 < 10.8.8.33.34439 > 10.8.8.110.26: . 178004051:178004051(0)
ack 2136318695 win 1024 (ttl 56, id 54728)
10:18:32.923506 eth0 < 10.8.8.33.34439 > 10.8.8.110.smtp: .
178004051:178004051(0) ack 2136318695 win 1024 (ttl 56, id 59168)
10:18:32.923830 eth0 < 10.8.8.33.34439 > 10.8.8.110.24: . 178004051:178004051(0)
ack 2136318695 win 1024 (ttl 56, id 40822)
10:18:32.924138 eth0 < 10.8.8.33.34439 > 10.8.8.110.telnet: .
178004051:178004051(0) ack 2136318695 win 1024 (ttl 56, id 4651)

	A icmp echo, a tcp echo to port 80 and the ack scan (all with the same
random looking ack) as expected.

With nmap -p23-25 -sA 10.8.8.110

tcpdump -v -n "dst host 10.8.8.110 and port not 22" gives:

10:31:00.355811 eth0 < 10.8.8.33 > 10.8.8.110: icmp: echo request (ttl 49, id
7251)
10:31:00.356103 eth0 < 10.8.8.33.58956 > 10.8.8.110.www: .
2388131843:2388131843(0) ack 3689555062 win 4096 (ttl 43, id 35261)
10:31:29.052905 eth0 < 10.8.8.33.58936 > 10.8.8.110.telnet: .
2128189200:2128189200(0) ack 0 win 4096 (ttl 43, id 45938)
10:31:29.053003 eth0 < 10.8.8.33.58936 > 10.8.8.110.smtp: .
2128189200:2128189200(0) ack 0 win 4096 (ttl 43, id 61141)
10:31:29.053092 eth0 < 10.8.8.33.58936 > 10.8.8.110.24: .
2128189200:2128189200(0) ack 0 win 4096 (ttl 43, id 38276)
10:32:47.460737 eth0 < arp reply 10.8.8.33 is-at 0:80:ad:40:fd:f1
(0:80:ad:b3:eb:56)

	Same as before except that ack=0 (for the scan but not for the tcp
ping).


	If you need more info pplease let me know.

-spiff




More information about the Snort-users mailing list