# # SCAN OF THE WEEK #3 - 26 to 30 June # # Weekly contest to see who can determine which tool # was used for this scan. Signatures captured here # using tcpdump. # # The following signature is generated in the lab. Recently a # new scanning option has been released, can you guess what it is? # SCAN: ----- tcpdump -vv host 192.168.1.10 17:34:45.802163 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 36166) 17:34:45.802216 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 33796) 17:34:45.802266 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 47066) 17:34:46.111982 eth0 < 192.168.1.1 > victim: ip-proto-74 0 (ttl 48, id 35585) 17:34:46.112039 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 32834) 17:34:46.112092 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 26292) 17:34:46.112143 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 51058) tcpdump -vv -x host 192.168.1.10 17:35:06.731739 eth0 < 192.168.1.10 > victim: ip-proto-130 0 (ttl 59, id 42060) 4500 0014 a44c 0000 3b82 57b8 c0a8 010a c0a8 0109 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ANSWER ------- So far half of the question has been answered. It has been identified that the tool used was the latest version of nmap, with the -sO option. But what information does this tell us? The answer gives us what protocls the system is using. Here are the results of such a scan. Below you see the system 'mozart' is listening to 4 IP protocols. Unix users can see examples of IP protocols in the file /etc/protocols. marge #nmap -sO -T Aggressive mozart Starting nmap V. 2.54BETA1 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting protocols on mozart.example.net (192.168.1.100): (The 250 protocols scanned but not shown below are in state: closed) Protocol State Name 1 open icmp 2 open igmp 6 open tcp 17 open udp Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds