Page 1 of 1

Null Scan Hackers maybe?

Posted: Wed Mar 27, 2013 5:23 pm
by darth
I got two firewalls, software onlineArmour, hardware Belkin. Belkin

detected a null san on me the other day. the following site showed it

was coming from Malaysia. view http://ip-address-lookup-v4.com/lookup. ... &x=57&y=27

view also http://www.plixer.com/blog/scrutinizer/ ... g-watched/

Is null scans most likely used for malware?

Re: Null Scan Hackers maybe?

Posted: Wed Mar 27, 2013 11:41 pm
by Tinman57
TCP null scanThe -sN option instructs Nmap to send packets that have none of the SYN, RST, and ACK flags set. When the TCP port is closed, a RST packet is sent in return. When the TCP port is open or filtered, there is no response. The null scan can often bypass a stateless firewall, but is not useful when a stateful firewall is employed.

Re: Null Scan Hackers maybe?

Posted: Thu Mar 28, 2013 1:45 am
by mbrazil
And:
An attacker uses a TCP NULL scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with no flags in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. The major advantage of this scan type is its ability to scan through stateless-firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. NULL packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Many operating systems, however, do not implement RFC 793 exactly and for this reason NULL scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing an attacker from distinguishing between open and closed ports.
The rest of the article is at http://capec.mitre.org/data/definitions/304.html (Common Attack Pattern Enumeration and Classification). There's lots of good security information there.

Re: Null Scan Hackers maybe?

Posted: Fri Mar 29, 2013 1:42 am
by Tinman57
That's one big thing I like about Comodo Firewall, it "Stealth's" all of the ports from this type of attack. Instead of replying with a <Port Closed>, it don't send anything back, so they don't know there's a computer there at all. lol

Re: Null Scan Hackers maybe?

Posted: Fri Mar 29, 2013 5:45 am
by darth
I used www.grc.com to probe my firewall; Grc reported my firewall
was stealt, that is no reply I believe. I still have some fond memories
of Comodo, since it was my first firewall I downloaded.

check out www.Grc.com. They got other things also.

Re: Null Scan Hackers maybe?

Posted: Sat Mar 30, 2013 12:56 am
by Tinman57
darth wrote:I used http://www.grc.com to probe my firewall; Grc reported my firewall
was stealt, that is no reply I believe. I still have some fond memories
of Comodo, since it was my first firewall I downloaded.

check out http://www.Grc.com. They got other things also.
Been there, done that, got the t-shirt. :P