Null Scan Hackers maybe?

Discuss whatever you like here! ( ...that's not spam!)

Moderators: Support Staff², Support Staff, AvantGuard, Developer

Post Reply
darth
AvantGuard
AvantGuard
Posts: 970
Joined: Mon Jun 11, 2007 9:16 pm
Windows Version: Windows 7
Avant Version: Avant 11_0 Build 46
Default engine: trident
IE Version: 10
Skin: default

Null Scan Hackers maybe?

Post by darth » Wed Mar 27, 2013 5:23 pm

I got two firewalls, software onlineArmour, hardware Belkin. Belkin

detected a null san on me the other day. the following site showed it

was coming from Malaysia. view http://ip-address-lookup-v4.com/lookup. ... &x=57&y=27

view also http://www.plixer.com/blog/scrutinizer/ ... g-watched/

Is null scans most likely used for malware?
Dell Precision 360 Work Staton XP 32/64 bits

User avatar
Tinman57
Avantic
Avantic
Posts: 834
Joined: Tue Oct 13, 2009 2:26 am
Windows Version: Linux Ubuntu 13.10
Avant Version: Linux Firefox
Default engine: Linux Firefox
IE Version: N/A
Skin: N/A
Location: TEXAS

Re: Null Scan Hackers maybe?

Post by Tinman57 » Wed Mar 27, 2013 11:41 pm

TCP null scanThe -sN option instructs Nmap to send packets that have none of the SYN, RST, and ACK flags set. When the TCP port is closed, a RST packet is sent in return. When the TCP port is open or filtered, there is no response. The null scan can often bypass a stateless firewall, but is not useful when a stateful firewall is employed.
((((TINMAN))))
----------------------------------------------------------
(Duck! It's another MicroSoft Patch!)

mbrazil
AvantGuard
AvantGuard
Posts: 1966
Joined: Tue Jul 26, 2005 10:04 pm
Windows Version: 10
Avant Version: 2015 Ultimate Build 28
Default engine: Gecko (Firefox)
IE Version: 10
Skin: Monai XP
Location: Grass Valley, CA

Re: Null Scan Hackers maybe?

Post by mbrazil » Thu Mar 28, 2013 1:45 am

And:
An attacker uses a TCP NULL scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with no flags in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. The major advantage of this scan type is its ability to scan through stateless-firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. NULL packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Many operating systems, however, do not implement RFC 793 exactly and for this reason NULL scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing an attacker from distinguishing between open and closed ports.
The rest of the article is at http://capec.mitre.org/data/definitions/304.html (Common Attack Pattern Enumeration and Classification). There's lots of good security information there.

User avatar
Tinman57
Avantic
Avantic
Posts: 834
Joined: Tue Oct 13, 2009 2:26 am
Windows Version: Linux Ubuntu 13.10
Avant Version: Linux Firefox
Default engine: Linux Firefox
IE Version: N/A
Skin: N/A
Location: TEXAS

Re: Null Scan Hackers maybe?

Post by Tinman57 » Fri Mar 29, 2013 1:42 am

That's one big thing I like about Comodo Firewall, it "Stealth's" all of the ports from this type of attack. Instead of replying with a <Port Closed>, it don't send anything back, so they don't know there's a computer there at all. lol
((((TINMAN))))
----------------------------------------------------------
(Duck! It's another MicroSoft Patch!)

darth
AvantGuard
AvantGuard
Posts: 970
Joined: Mon Jun 11, 2007 9:16 pm
Windows Version: Windows 7
Avant Version: Avant 11_0 Build 46
Default engine: trident
IE Version: 10
Skin: default

Re: Null Scan Hackers maybe?

Post by darth » Fri Mar 29, 2013 5:45 am

I used www.grc.com to probe my firewall; Grc reported my firewall
was stealt, that is no reply I believe. I still have some fond memories
of Comodo, since it was my first firewall I downloaded.

check out www.Grc.com. They got other things also.
Dell Precision 360 Work Staton XP 32/64 bits

User avatar
Tinman57
Avantic
Avantic
Posts: 834
Joined: Tue Oct 13, 2009 2:26 am
Windows Version: Linux Ubuntu 13.10
Avant Version: Linux Firefox
Default engine: Linux Firefox
IE Version: N/A
Skin: N/A
Location: TEXAS

Re: Null Scan Hackers maybe?

Post by Tinman57 » Sat Mar 30, 2013 12:56 am

darth wrote:I used http://www.grc.com to probe my firewall; Grc reported my firewall
was stealt, that is no reply I believe. I still have some fond memories
of Comodo, since it was my first firewall I downloaded.

check out http://www.Grc.com. They got other things also.
Been there, done that, got the t-shirt. :P
((((TINMAN))))
----------------------------------------------------------
(Duck! It's another MicroSoft Patch!)

Post Reply