[unisog] Determining local servers and banners

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Apr 4 23:35:38 GMT 2005

On Mon, 04 Apr 2005 16:54:44 EDT, Harry Hoffman said:

> So, we are looking to determine all servers running in our IP space and 
> then grab any banners that we may find. We currently have a way to do 
> this for TCP where we look for the Syn/Ack bits set and the src networks 
> to be ours:
> tcpdump -i eth0 -w file.dmp 'tcp[13] == 18' and src net '( 192.168.1 or 
> 192.168.2 )'

I'm presuming that you're doing sane ingress filtering at your border router,
so spoofed packets from outside *stay* outside. :)

Also, note that this will do Funky Stuff with some FTP variants (consider the
"active/passive" flags), and things like IRC DCC and many other peer-to-peer
transfers - these can all result in an outbound syn+ack but not really count as
a "server" (in fact, RFC793 doesn't even *mention* "server", other than to
comment that it may make sense for well-known services to open a listen() on a
well-known port so other systems can find it more easily).  As a result,
you'll often end up scanning an ephemeral port that's no longer open, unless
you 'tcpdump -s (more than 68)' and apply some heuristics to filter out all
the syn+ack for ephemeral usages....

To really make your brain hurt, consider this text from RFC793:

  Simultaneous initiation is only slightly more complex, as is shown in
  figure 8.  Each TCP cycles from CLOSED to SYN-SENT to SYN-RECEIVED to
      TCP A                                            TCP B
  1.  CLOSED                                           CLOSED
  2.  SYN-SENT     --> <SEQ=100><CTL=SYN>              ...

  3.  SYN-RECEIVED <-- <SEQ=300><CTL=SYN>              <-- SYN-SENT

  4.               ... <SEQ=100><CTL=SYN>              --> SYN-RECEIVED

  5.  SYN-RECEIVED --> <SEQ=100><ACK=301><CTL=SYN,ACK> ... 


  7.               ... <SEQ=101><ACK=301><CTL=ACK>     --> ESTABLISHED

                Simultaneous Connection Synchronization 

                               Figure 8.

(http://www.ietf.org/rfcs/rfc793.txt - down on page 32).  Yes, this is
totally legal....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050404/2024ac40/attachment.bin

More information about the unisog mailing list