This is the fifth in a series of posts looking at detecting Nmap scans in Wireshark. I’m being guided by Chapter 31 of Wireshark Network Analysis entitled: “Detect Scanning and Discovery processes”.
The book Nmap Network Scanning has this to say about the Null scan:
When scanning systems compliant with the RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open/filtered. As long as none of those three bits are included, any combination of the other three (FIN, PSH and URG) are OK
[....]
Xmas scan (-sX) sets the FIN, PSH and URG flags, lighting the packet up like a Christmas tree.
[....]
The port is marked as filtered if an ICMP unreachable error (type 3, code 1,2,3,9,10 or 13) is received.
[....]
The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even the SYN scan. Don’t count on this though – most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter……
To make things more interesting I will scan the Ubuntu system hosting Security Onion to see if the Snorby IDS will pick up the scan.
Here’s the scan:
nmap -sX 192.168.1.93
Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-24 08:09 BST
Nmap scan report for 192.168.1.93
Host is up (0.0046s latency).
All 1000 scanned ports on 192.168.1.93 are open|filtered
MAC Address: 00:11:11:D2:EB:E5 (Intel)
The first thing to say is that Snorby did not detect this scan and issued no warnings. I’m sure Snorby could be configured to detect these scans, I just don’t know how to do so at this stage.
On the other hand, this scan was an easy spot within Wireshark. Here’s a partial Wireshark capture of the scan:
As you can see the FIN, PSH and URG flags are easily identifiable.
Here’s a breakdown of the TCP:
Note the Flag summary line which allows us to filter in Wireshark using: tcp.flags==0×029