1) What is happening in the following trace?
2) What type of scan or attack is this?
3) What is the significance of the Flags? Describe what is going on...


15:54:55.747726 10.3.4.221.63198 > 10.3.4.181.ssh: S 4294309945:4294309945(0) win 2048
15:54:55.747743 10.3.4.221.63198 > 10.3.4.181.auth: S 4294309945:4294309945(0) win 2048
15:54:55.747771 10.3.4.221.63198 > 10.3.4.181.https: S 4294309945:4294309945(0) win 2048
15:54:55.747783 10.3.4.221.63198 > 10.3.4.181.ftp: S 4294309945:4294309945(0) win 2048
15:54:55.747807 10.3.4.221.63198 > 10.3.4.181.telnet: S 4294309945:4294309945(0) win 2048
15:54:55.747835 10.3.4.221.63198 > 10.3.4.181.shell: S 4294309945:4294309945(0) win 2048
15:54:55.747883 10.3.4.221.63198 > 10.3.4.181.www: S 4294309945:4294309945(0) win 2048
15:54:55.747894 10.3.4.221.63198 > 10.3.4.181.netbios-ssn: S 4294309945:4294309945(0) win 2048
15:54:55.747939 10.3.4.181.ssh > 10.3.4.221.63198: R 0:0(0) ack 4294309946 win 0
15:54:55.747948 10.3.4.181.auth > 10.3.4.221.63198: R 0:0(0) ack 4294309946 win 0
15:54:55.747957 10.3.4.181.https > 10.3.4.221.63198: R 0:0(0) ack 4294309946 win 0
15:54:55.747985 10.3.4.181.ftp > 10.3.4.221.63198: S 229964951:229964951(0) ack 4294309946 win 64512 <mss 1460> (DF)
15:54:55.748002 10.3.4.181.telnet > 10.3.4.221.63198: S 230013656:230013656(0) ack 4294309946 win 64512 <mss 1460> (DF)
15:54:55.748005 10.3.4.181.shell > 10.3.4.221.63198: R 0:0(0) ack 4294309946 win 0
15:54:55.748037 10.3.4.181.136 > 10.3.4.221.63198: R 0:0(0) ack 4294309946 win 0
15:54:55.748040 10.3.4.181.www > 10.3.4.221.63198: R 0:0(0) ack 4294309946 win 0
15:54:55.748047 10.3.4.181.netbios-ssn > 10.3.4.221.63198: S 230064928:230064928(0) ack 4294309946 win 64512 <mss 1460> (DF)
15:54:55.748082 10.3.4.221.63198 > 10.3.4.181.ftp: R 4294309946:4294309946(0) win 0 (DF)
15:54:55.748087 10.3.4.221.63198 > 10.3.4.181.telnet: R 4294309946:4294309946(0) win 0 (DF)
15:54:55.748096 10.3.4.221.63198 > 10.3.4.181.netbios-ssn: R 4294309946:4294309946(0) win 0 (DF)
15:54:55.761376 10.3.4.221.63198 > 10.3.4.181.ftp-data: S 4294309945:4294309945(0) win 2048
15:54:55.761408 10.3.4.221.63198 > 10.3.4.181.445: S 4294309945:4294309945(0) win 2048
15:54:55.761420 10.3.4.221.63198 > 10.3.4.181.netbios-ns: S 4294309945:4294309945(0) win 2048
15:54:55.761589 10.3.4.181.ftp-data > 10.3.4.221.63198: R 0:0(0) ack 4294309946 win 0
15:54:55.761643 10.3.4.181.445 > 10.3.4.221.63198: S 230165599:230165599(0) ack 4294309946 win 64512 <mss 1460> (DF)
15:54:55.761650 10.3.4.181.netbios-ns > 10.3.4.221.63198: R 0:0(0) ack 4294309946 win 0
15:54:55.761671 10.3.4.221.63198 > 10.3.4.181.445: R 4294309946:4294309946(0) win 0 (DF)
15:54:56.839207 10.3.4.181.netbios-ns > 10.3.4.221.netbios-ns: udp 50
15:54:56.839264 10.3.4.221 > 10.3.4.181: icmp: 10.3.4.221 udp port netbios-ns unreachable

SYNs, RESETs, and ACKknowledgements right?

Looks like the ACKs are going to the same IP and port. I almost want to say an Idle Scan, but then again I think it's a ICMP request like a Smurf would do.

It was worth a shot. :roll:

<SolarfluX> it just looks like your basic stealth probe

To elaborate a bit, it looks like a Win2K Server box is the target, due to the ports that are open (S/A response to the scan): 21, 23, but most of all 445. Also, I'm pretty sure Win2K uses an MTU of 1460 and the window size (64512) looks typical of Win2K. The R flags from the target in response to the other scanned ports indicate that no service is running. The scanner responds to the target's S/A with an R to avoid completing the handshake, which prevents detection.

Solarflux has it right. :D

Hmm..very cool.

I hope one of those books has a nice breakdown of how to read those logs. I remember bsdjunkie posted a quick one on how to break it down, but I dont recall.

Good stuff....definetly lets me know I need to learn more. :)

Tarballed