# # SCAN OF THE WEEK #1 - 28 May - 3 June # # Weekly contest to see who can determine which tool # was used for this scan. All signatures were captured # with snort (http://www.snort.org). # # The following signatures are from the wild. I have received # repeated scans from this type of tool for the past several # weeks. I believe the same tool was used. Can you name the tool? # # Anything on the 172.16.1.x network are the good guys. # Anything else are the bad guys. :) #### ANALYSIS - THINGS TO NOTICE: #### All scans are SRC port 0, SYN FIN flag set, Ack 0x0 and Win Size 0x200. #### We know this is NOT nmap, nmap does not use a SYN/FIN combination. #### Also, the source port of 0 is odd. Most people set the SRC port to #### 21 (ftp data), 53 (dns reply), or 80 (http reply) when scanning. #### #### This may be a hping2 scan, however the SRC port, DST port and TCP Flags #### would have to be manually set. By default, hping2 uses a random high number #### port as the SRC port. Also, the hping2 uses DST port 0 by default. Last, #### hping2 uses no TCP flags by default (null scan). #### #### What do you think it is? Notice anything else odd? ### The snort alerts Apr 17 06:02:32 lisa snort[8255]: IDS198/SYN FIN Scan: 195.116.152.104:0 -> 172.16.1.101:111 Apr 17 06:02:32 lisa snort[8255]: IDS198/SYN FIN Scan: 195.116.152.104:0 -> 172.16.1.107:111 Apr 17 09:45:28 lisa snort[8255]: IDS198/SYN FIN Scan: 195.116.152.104:0 -> 172.16.1.105:111 Apr 30 02:06:37 lisa snort[5750]: IDS198/SYN FIN Scan: 202.185.32.60:0 -> 172.16.1.101:143 May 3 19:17:53 lisa snort[6862]: IDS198/SYN FIN Scan: 205.242.148.1:0 -> 172.16.1.101:109 May 3 23:33:55 lisa snort[6862]: IDS198/SYN FIN Scan: 210.97.123.3:0 -> 172.16.1.105:109 May 4 04:59:35 lisa snort[7541]: IDS198/SYN FIN Scan: 205.242.148.1:0 -> 172.16.1.101:109 May 26 20:05:46 lisa snort[21867]: IDS198/SYN FIN Scan: 24.3.24.169:0 -> 172.16.1.107:143 May 29 16:07:49 lisa snort[408]: IDS198/SYN FIN Scan: 210.118.8.50:0 -> 172.16.1.107:109 May 29 16:21:51 lisa snort[408]: IDS198/SYN FIN Scan: 210.118.8.50:0 -> 172.16.1.107:109 ### The snort signatures ### Scan April 17 04/17-06:02:32.401307 195.116.152.104:0 -> 172.16.1.107:111 TCP TTL:228 TOS:0x0 ID:30976 **SF**** Seq: 0xCC410000 Ack: 0x0 Win: 0x200 04/17-06:02:32.402027 172.16.1.107:111 -> 195.116.152.104:0 TCP TTL:64 TOS:0x0 ID:6919 DF **S***A* Seq: 0x77BA6506 Ack: 0xCC410001 Win: 0x7FB8 TCP Options => MSS: 536 00 00 .. 04/17-06:02:33.139528 195.116.152.104:0 -> 172.16.1.101:111 TCP TTL:238 TOS:0x0 ID:44926 ****R*** Seq: 0xCC410001 Ack: 0x0 Win: 0x0 ### Scan Apr 30 04/30-02:06:37.513772 202.185.32.60:0 -> 172.16.1.101:143 TCP TTL:229 TOS:0x0 ID:26496 **SF**** Seq: 0xC8320000 Ack: 0x0 Win: 0x200 04/30-02:06:37.514247 172.16.1.101:143 -> 202.185.32.60:0 TCP TTL:229 TOS:0x0 ID:36463 DF ****R*A* Seq: 0x0 Ack: 0xC8320001 Win: 0x0 ### Scan May 3 05/03-23:33:54.898406 210.97.123.3:0 -> 172.16.1.105:109 TCP TTL:228 TOS:0x0 ID:58880 **SF**** Seq: 0x25460000 Ack: 0x0 Win: 0x200 05/03-23:33:54.900884 172.16.1.105:109 -> 210.97.123.3:0 TCP TTL:255 TOS:0x0 ID:6349 ****R*A* Seq: 0x0 Ack: 0x25460001 Win: 0x0 ### May 4 05/04-04:59:34.800211 205.242.148.1:0 -> 172.16.1.101:109 TCP TTL:232 TOS:0x0 ID:8704 **SF**** Seq: 0x9E210000 Ack: 0x0 Win: 0x200 05/04-04:59:34.800692 172.16.1.101:109 -> 205.242.148.1:0 TCP TTL:232 TOS:0x0 ID:20511 DF ****R*A* Seq: 0x0 Ack: 0x9E210001 Win: 0x0 ### May 26 05/26-20:05:45.555197 24.3.24.169:0 -> 172.16.1.107:143 TCP TTL:230 TOS:0x0 ID:2050 **SF**** Seq: 0x9E580000 Ack: 0x0 Win: 0x200 05/26-20:05:45.555596 172.16.1.107:143 -> 24.3.24.169:0 TCP TTL:230 TOS:0x0 ID:58083 DF ****R*A* Seq: 0x0 Ack: 0x9E580001 Win: 0x0 ### May 29 05/29-16:07:49.030077 210.118.8.50:0 -> 172.16.1.107:109 TCP TTL:230 TOS:0x0 ID:17412 **SF**** Seq: 0x80C0000 Ack: 0x0 Win: 0x200 05/29-16:07:49.030540 172.16.1.107:109 -> 210.118.8.50:0 TCP TTL:230 TOS:0x0 ID:8265 DF ****R*A* Seq: 0x0 Ack: 0x80C0001 Win: 0x0