From: Lamont Granquist [lamontg@RAVEN.GENOME.WASHINGTON.EDU] Sent: Wednesday, September 15, 1999 2:19 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: ACK/th_win portscanning I just posted a patch to nmap to the nmap-hackers list which impliments yet another "stealth" scan. This one sends out packets with only the ACK bit set and looks for responses that either have th_win set to some value (0x1000, 0x2000, 0x4000 typically) or th_win is clear. Fyodor went through the nmap-os-fingerprints file and found that it was easy to use that database to find systems which are vulnerable to these kinds of scans. Vulnerable systems of note include: Digital Unix 4.0X FreeBSD <=4.0 OpenBSD <=2.5. AIX <=4.3.2 (is this current?) Notable systems which are /NOT/ vulnerable include: Solaris (all?) IRIX 6.x HP-UX 11.0 Linux (all?) Probably the only "stealth" benefit of this kind of scan would be that it should get through ipfwadm firewalls that use the ACK bit to determine weither or not packets get through (ipfwadm's -k flag), e.g: # allow incoming packets to other high numbered ports from anywhere, but # only for packets with the ACK bit set (i.e. outgoing connections) /sbin/ipfwadm -I -k -a accept -P tcp -S any/0 -D $MYNET 1024:65535 But it should be blocked by ipf's "keep state": pass out quick proto tcp from to any keep state It would be interesting to test this in conjunction with frag scanning against various firewalls. It might also be interesting to test this with out-of-order frag scanning (which nmap doesn't do, due to limitations in SOCK_RAW) against various firewalls (particularly ones that advertise "keep state" functions). Of course, you'll need a vulnerable test system behind the firewall to scan against. Fydoor's post with all the vulnerable systems follows. Attatched is the patch to NMAP 2.3 BETA 3 (applies cleanly to BETA 5 as well). On Wed, 15 Sep 1999, Fyodor wrote: > On Mon, 13 Sep 1999, Lamont Granquist wrote: > > > Yeah, don't know how useful it is, since the only current version of an OS > > that it seems to be effective against is Digital Unix. With only the ACK > > bit set it might be able to get through some firewall rules, though. > > I think it works against the latest FreeBSD as well. Perhaps I should > apply your patch and leave it as another undocumented scan type in the > next version of Nmap. Interestingly, the nmap-os-fingerprints database > that comes with Nmap can often enumerate the operating systems with > interesting characteristics like this. For example, here is an easy way > to get a list of OS versions that should be vulnerable to your window > scan: > > amy~/nmap>cat nmap-os-fingerprints | perl -ne 'while(<>) { chomp;if (/^fingerprint\s+([^\#]+)/i) { if (defined($owin) and defined($cwin) and $owin ne $cwin) { print "$oname ($owin vs. $cwin)\n";} $oname=$1;undef($cwin);undef($owin);} elsif (/^T(4|6)\(.*W=([^%]+)/) { if ($1 eq 4){$owin=$2;} else { $cwin = $2; }}}' | sort -f > A/UX 3.1.1 SVR2 (1000 vs. 0) > ACC Amazon 9.2.29 or Congo 9.2.35 WAN concentrator (1000 vs. 0) > Acorn Risc OS 3.6 (Acorn TCP/IP Stack 4.07) (3000 vs. 0) > Acorn RiscOS 3.7 using AcornNet TCP/IP stack (4000 vs. 0) > AGE Logic, Inc. IBM XStation (2000 vs. 0) > AIX 3.2 (4000 vs. 0) > AIX 4.0 - 4.1 (8000|4000 vs. 0) > AIX 4.02.0001.0000 (4000 vs. 0) > AIX 4.1 (4000 vs. 0) > AIX 4.2 (4000 vs. 0) > AIX 4.2 (4000 vs. 0) > AIX 4.3.2 (4000 vs. 0) > AIX v4.1 running on a C10 (4000 vs. 0) > Alcatel 1000 DSL Router / unknown OS Rev. (2000 vs. 0) > AmigaOS AmiTCP/IP 4.3 (2000 vs. 0) > AmigaOS AmiTCP/IP Genesis 4.6 (8000 vs. 0) > AmigaOS Miami 2.1-3.0 (4000 vs. 0) > AmigaOS Miami 3.0 (4000 vs. 0) > AmigaOS Miami 3.1-3.2 (4000 vs. 0) > AmigaOS Miami Deluxe 0.9 - Miami 3.2B (4000 vs. 0) > AOS/VS or VSII (1000 vs. 0) > Apollo Domain/OS SR10.4 (239C vs. 800) > Auspex Fileserver (AuspexOS 1.9.1/SunOS 4.1.4) (4000 vs. 0) > AXIS NetEye Camera Server V1.20 (100|0 vs. 0) > AXIS or Meridian Data Network CD-ROM server (200 vs. 0) > AXIS Stack -- CD-ROM Server or Printer Server or Camera Server (100|0 vs. 0) > BeOS 4 - 4.5 (3000 vs. 0) > BSDI BSD/OS 2.0 - 2.1 (2000|0 vs. 0) > CacheOS (CacheFlow 2000 proxy cache) (2000 vs. 0) > Canon photocopier/fax/scanner/printer GP30F (C00 vs. 0) > Cisco CacheEngine (2000 vs. 0) > Compaq Tru64 UNIX (formerly Digital UNIX) 4.0e (8000 vs. 0) > Convex OS Release 10.1 (7C00 vs. 0) > Cray Unicos 9.0 - 10.0 or Unicos/mk 1.5.1 (FFFF vs. 0) > Cray UNICOS 9.0.1ai - 10.0.0.2 (8000 vs. 0) > DEC OSF/1 V1.3A (8000 vs. 0) > DECNIS 600 V4.1.3B System (8000 vs. 0) > DECserver700-16, Network Access SW V2.2 (600 vs. 0) > DG/UX Release R4.11MU02 (2238 vs. 0) > Digital OpenVMS AXP 6.2 running Attachmate Pathway 3.1 TCP stack (2000 vs. 0) > Digital Unix 4.0E (7000|8000 vs. 0) > Digital UNIX OSF1 V 3.0,3.2,3.2C (8000 vs. 0) > Digital UNIX OSF1 V 4.0,4.0B,4.0D (8000 vs. 0) > Extreme Gigabit switch (unknown version) (1000 vs. 0) > FreeBSD 2.1.0 - 2.1.5 (4000 vs. 0) > FreeBSD 2.2.1 - 3.2 (4000|0 vs. 0) > FreeBSD 2.2.1 - 4.0 (4000|0 vs. 0) > HP Entria X station (running Netstation 7.x) (2000 vs. 0) > HP-BSD 2.0 (2000 vs. 0) > HP-UX 9.01 - 9.07 (2000 vs. 0) > HP-UX A.09.00 E 9000/817 - A.09.07 A 9000/777 (2000 vs. 0) > HP-UX B.10.01 A 9000/715 (8000 vs. 0) > HP-UX B.10.20 A 9000/715 or 9000/712 or 9000/871 or 9000/861 with tcp_random_seq = 0 (8000 vs. 0) > HP-UX B.10.20 A 9000/715 or 9000/712 or 9000/871 with tcp_random_seq = 1 (8000 vs. 0) > IBM LAN RouteSwitch/Xylan OmniSwitch Version 3.2.5/NeXT (1000 vs. 0) > IBM OS/2 V 2.1 (7000 vs. 0) > IBM OS/2 V.3 (7000 vs. 0) > IBM OS/2 Warp 4.0 (7000 vs. 0) > IBM OS/2 Warp Server for E-business (Aurora) Beta (8000 vs. 0) > IBM OS/2 Warp Server for E-business (Aurora) Beta (8000 vs. 0) > Intel NetportExpress(tm) 10/100 3-port ROM: V05.10a (16D0 vs. 0) > IRIX 5.2 (F000 vs. 0) > IRIX 5.3 (EF2A|F000 vs. 0) > Juniper Router running JUNOS (4000 vs. 0) > LynxOS Realtime OS -- Could be MeetingPlace 3.4, Xylogics Remote Annex 4000 terminal server (1000 vs. 0) > Mac OS X (Rhapsody 5.5) on a G3 (8000 vs. 0) > Meridian Data Network CD-ROM Server (V4.20 Nov 26 1997) (200 vs. 0) > Mirapoint M1000 (OS v 1.0.0) (4000 vs. 0) > NCD X server (SNMP says: NCD16 server 2.3.0 03/12/91 downloaded) (800 vs. 0) > Neoware (was HDS) NetOS V. 2.0.1 or HP ENTRIA C3230A (2000 vs. 0) > NetApp OnTap 3.1.6 (1000 vs. 0) > NetApp OnTap 5.1.2 - 5.2.2 (2000 vs. 0) > NetBSD 1.0 big endian arch (4000 vs. 0) > NetBSD 1.0 little endian arch (4000 vs. 0) > NetBSD 1.1 - 1.2.1 litle endian arch (4000 vs. 0) > NetBSD 1.2 - 1.2.1 big endian arch (4000 vs. 0) > Network Systems router NS6614 (NSC 6600 series) (1000 vs. 0) > NeXT Mach (1000 vs. 0) > OpenBSD 2.1 - 2.3/SPARC (4000 vs. 0) > OpenBSD 2.1/X86 (4000 vs. 0) > OpenBSD 2.2 - 2.3 (4000 vs. 0) > OpenBSD Post 2.4 (November 1998) - 2.5 (4000 vs. 0) > OpenStep 4.0 or NextStep 1.0 (Intel) (1000 vs. 0) > OpenStep 4.1/NeXTStep 3.3 (1000 vs. 0) > OpenStep 4.2/Intel (1000 vs. 0) > OpenVMS 6.1 (1000 vs. 0) > OpenVMS 6.2 (1800 vs. 0) > OpenVMS 7.1 Alpha running Digital's UCX v4.1ECO2 TCP/IP package (BB8 vs. 0) > OpenVMS Alpha 6.2 running DIGITAL TCP/IP Services (UCX) v4.0 (BB8 vs. 0) > OpenVMS Alpha V7.1-1H2 running DIGITAL TCP/IP Services (UCX) V4.2 (1000 vs. 0) > OpenVMS V6.1 on Digital VAX 4000-105A (1800 vs. 0) > OSF/1 5.60 (8000 vs. 0) > Packeteer IP-PacketShaper 2000 V3.1 (1000 vs. 0) > QNX 4.24 (2000 vs. 0) > Redback SMS1000 Router (2000 vs. 0) > Rhapsody 5.3 - 5.4 (Mac OS X Server 1.0 - 1.0-1) (2000 vs. 0) > Router/Switch (LanPlex 2500/Cisco Catalyst 5505/Trancell Webramp/Xylan Omni Switch) (1000 vs. 0) > SEQUENT DYNIX/ptx(R) V4.2.1 (1000 vs. 0) > Shiva LanRover/8E Version 3.5 (1000 vs. 0) > Snap Network Box (4470 vs. 0) > SPP-UX 5.2.1 (8000 vs. <1001) > SPP-UX 5.x on a Convex SPP-1600 (8000 vs. C00) > Stock OpenVMS 7.1 (2200 vs. 0) > SunOS 4.0.3 (1000 vs. 0) > SunOS 4.1.1 - 4.1.4 (or derivative) (1000|2000|6000|C000 vs. 0) > SunOS 4.1.3_U1 + ISI RFC1323 mods from ISI (1000 vs. 0) > Ultrix 4.1 (4000 vs. 0) > Ultrix 4.2 - 4.5 (4000 vs. 0) > Unicos 10.0.0 on Cray 90 (8000 vs. 0) > VAX 7000-610 or 4200/SPX OR 6000-430 (1800 vs. 0) > VAX/VMS 5.3 on a MicroVAX II (1000 vs. 0) > VNS V6.2 (2200 vs. 0) > VxWorks 5.3.x bases system (usually an ethernet hub or switch) (1000 vs. 0) > webcache CacheFlow 5000 with latest OS (2000 vs. 0) > Xylan OmniSwitch 5x/9x ethernet switch, Annex3 Comm server R10.0, or Hitach HI-UX/WE2 (1000 vs. 0) > > > Cheers, > Fyodor > > -- > Fyodor 'finger pgp@pgp.insecure.org | pgp -fka' > "I might be able to shoehorn a reference count in on top of the numeric > value by disallowing multiple references on scalars with a numeric value, but > but it wouldn't be as clean. I do occasionally worry about that." -Larry Wall > -- Lamont Granquist lamontg@genome.washington.edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg@raven.genome.washington.edu | pgp -fka