work and IT @ 19 Mar 2008 11:33 am by

Crafting responses

Recently (not that recent maa) we received this kind of alerts which trigger some discussion between us.

[**] [1:2000538:5] ET SCAN NMAP -sA (1) [**]
[Classification: Attempted Information Leak] [Priority: 2]
03/10-13:59:00.891305 192.168.4.20:80 -> 192.168.4.127:256
TCP TTL:44 TOS:0×0 ID:56012 IpLen:20 DgmLen:40
***A**** Seq: 0x11BBA413 Ack: 0x5A5D56A9 Win: 0×400 TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS162]

There are 250 same alerts triggered which triggers my curiosity as well (also means that I require your inputs as well)

Here is the rule that trigger the alert

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”ET SCAN NMAP -sA (1)”; fragbits: !D; dsize: 0; flags: A,12; window: 1024; reference:arachnids,162; classtype: attempted-recon; sid: 2000538; rev:5;)

Anyway as we dun have the benefits of looking into the actual traffic, what I can do is try to guess or simulates the traffics that may trigger the alerts.

So the main issue is as the alerts show that 192.168.4.20 is performing nmap -sA scanning to 192.168.4.127 from port 80, some of my colleague did tell me that it’s the other way around

Meaning that actually 192.168.4.20 is responding to the request from 192.168.4.127.  I tried few times trying to craft a request that may trigger the response which trigger the alerts

So if any of you can help me crafting a request that can provide this kind of response :

13:59:00.892083 IP 192.168.4.20.80 > 192.168.4.127.53: . ack 1817132945 win 3072

13:59:01.992738 IP 192.168.4.20.80 > 192.168.4.127.53: . ack 3666296980 win 1024

13:59:01.993247 IP 192.168.4.20.80 > 192.168.4.127.80: . ack 3322425882 win 3072

13:59:01.993654 IP 192.168.4.20.80 > 192.168.4.127.554: . ack 3954598287 win 1024

13:59:01.994093 IP 192.168.4.20.80 > 192.168.4.127.389: . ack 1397273947 win 4096

13:59:01.994193 IP 192.168.4.20.80 > 192.168.4.127.256: . ack 3032925021 win 1024

13:59:01.994658 IP 192.168.4.20.80 > 192.168.4.127.443: . ack 3616913710 win 3072

13:59:01.995096 IP 192.168.4.20.80 > 192.168.4.127.21: . ack 3566764576 win 3072

I am more than glad and grateful to received/read/listen you views/opinions/advice.

Anyway here is the simulation that I tried and a simple analysis on it. anal1.pdf

No Comments »