#
# SCAN OF THE WEEK #3 - 26 to 30 June
#
# Weekly contest to see who can determine which tool
# was used for this scan. Signatures captured here
# using tcpdump.
#
# The following signature is generated in the lab. Recently a
# new scanning option has been released, can you guess what it is?
#
SCAN:
-----
tcpdump -vv host 192.168.1.10
17:34:45.802163 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 36166)
17:34:45.802216 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 33796)
17:34:45.802266 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 47066)
17:34:46.111982 eth0 < 192.168.1.1 > victim: ip-proto-74 0 (ttl 48, id 35585)
17:34:46.112039 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 32834)
17:34:46.112092 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 26292)
17:34:46.112143 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 51058)
tcpdump -vv -x host 192.168.1.10
17:35:06.731739 eth0 < 192.168.1.10 > victim: ip-proto-130 0 (ttl 59, id 42060)
4500 0014 a44c 0000 3b82 57b8 c0a8 010a
c0a8 0109 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
ANSWER
-------
So far half of the question has been answered. It has been identified that
the tool used was the latest version of nmap, with the -sO option. But
what information does this tell us?
The answer gives us what protocls the system is using. Here are the results
of such a scan. Below you see the system 'mozart' is listening to 4 IP
protocols. Unix users can see examples of IP protocols in the file /etc/protocols.
marge #nmap -sO -T Aggressive mozart
Starting nmap V. 2.54BETA1 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting protocols on mozart.example.net (192.168.1.100):
(The 250 protocols scanned but not shown below are in state: closed)
Protocol State Name
1 open icmp
2 open igmp
6 open tcp
17 open udp
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds