Results 1 to 7 of 7

Thread: STEALTH ACTIVITY (SYN FIN scan) ???

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    185

    STEALTH ACTIVITY (SYN FIN scan) ???

    uh, i'm such a noob.
    something was reported on my IDS(snort).

    1 instances of (spp_stream4) STEALTH ACTIVITY (SYN FIN scan) detection

    it is coming from port 21 and goin to port 21 on my machine

    would someone please tell me what the hell it is?
    something like ftp bounce attack??

    thx in advance

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Someone is probably running something to the effect of

    nmap -sF -g21 <your_ip>

    First thing that you should notice that is wrong, is that the source port was the same as the port it was connecting to on your machine. There are very few protocols that function in this way and FTP is not one of them.

    The second thing that was wrong is that your IDS saw no intial connection (syn), but saw the request come in from the person using a SYN-FIN flag (connection request with a finish request, which obviously doesn't make sense).

    It is nothing other than a plain vanilla syn-fin port scan.

    If you need me to explain a ftp bounce attack I can do so...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    i asked for the ftp bounce attack 'cos there is something in my ftp server parameters
    where i can disable server-server connections with the comment "e.g. ftp bounce attack"
    if you would explain...
    on disabling that would it block such scans (on ftp) ?
    ..and whats the thinking behind doin a syn-fin port-scan?
    i was wondering 'cos the scanner uses redhat 9 as me,is there any exploit related to redhat and ftp-servers ?

    (sry for my bad english ,sometimes i don't get the right words...)
    Industry Kills Music.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    An FTP bounce attack is where you use the FTP server to do the port scanning for you.

    Because FTP is a unique protocol (you have a control port and a data port, assuming you allow active connections, with the client connecting to the server on the control port and the SERVER opening up the data port back to actually send the file), you can actually abuse how it was meant to work by connecting to the FTP server, then issuing a special command that instructs the FTP server to connect to an IP different from your own on a different port. You will then get a nice message back from the FTP server reporting if the port was open.

    Why would you want to do that? Say you are able to FTP into a network that is protected by a firewall (and it isn't a very good firewall and hence allows this kind of activity). If you wanted to scan things behind that firewall (and potentially mask who you are as well as potentially bypass the firewall rules), you could connect to the FTP server and then send PORT requests to the FTP server to hit whatever IP/port you are interested in. It used to be a pretty stealthy way to scan; however, most, if not all, IDS systems pick this up quite easily now.

    Here is a starting place to read about it: http://xforce.iss.net/xforce/xfdb/199

    Now as far as the syn-fin scan goes, there really isn't that much you can do to stop it aside from making sure you are behind a stateful firewall (it will deny this since a syn-fin would be out of state).

    Here is the man entry for nmap which indicates why you might want to run one:

    -sF -sX -sN
    Stealth FIN, Xmas Tree, or Null scan modes: There are
    times when even SYN scanning isn't clandestine enough.
    Some firewalls and packet filters watch for SYNs to
    restricted ports, and programs like Synlogger and
    Courtney are available to detect these scans. These
    advanced scans, on the other hand, may be able to pass
    through unmolested.

    The idea is that closed ports are required to reply to
    your probe packet with an RST, while open ports must
    ignore the packets in question (see RFC 793 pp 64).
    The FIN scan uses a bare (surprise) FIN packet as the
    probe, while the Xmas tree scan turns on the FIN, URG,
    and PUSH flags. The Null scan turns off all flags.
    Unfortunately Microsoft (like usual) decided to com-
    pletely ignore the standard and do things their own
    way. Thus this scan type will not work against systems
    running Windows95/NT. On the positive side, this is a
    good way to distinguish between the two platforms. If
    the scan finds open ports, you know the machine is not
    a Windows box. If a -sF,-sX,or -sN scan shows all
    ports closed, yet a SYN (-sS) scan shows ports being
    opened, you are probably looking at a Windows box.
    This is less useful now that nmap has proper OS detec-
    tion built in. There are also a few other systems that
    are broken in the same way Windows is. They include
    Cisco, BSDI, HP/UX, MVS, and IRIX. All of the above
    send resets from the open ports when they should just
    drop the packet.
    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207

    Re: STEALTH ACTIVITY (SYN FIN scan) ???

    Originally posted here by stanger

    something like ftp bounce attack??
    No. If it was an FTP bounce attack, it would be coming from port 20 (or perhaps a high port number). But not 21.

    Slarty

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    BIG BIG thx. goin to read now.

    greetz, stanger
    Industry Kills Music.

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    Originally posted here by stanger

    i was wondering 'cos the scanner uses redhat 9 as me,is there any exploit related to redhat and ftp-servers ?
    i guess it has been related to
    proftpd-standalone 1.2.8p-1 ProFTP server security fix

    cya...
    Industry Kills Music.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •