Subject: nessus and tcp sequences
From: Benjamin Karas (bjk4@po.cwru.edu)
Date: Thu Dec 02 1999 - 14:53:01 MST
Recently I had a rather odd experience with nessus and
nmap. Unfortunately, I was not saving the output of nmap, which was the
more interesting of the two events.
A friend was running nessus from a different computer looking for
vulnerabilities in mine. I had sshd running on its own, and ftp, talk,
ntalk, dtalk running from inetd and wrapped with tcp wrappers. My ftp version
is ProFTPD 1.2.0pre6 with a near-default configuration.
Normally, nmap returns a rather ordinary result:
-------------------------------------------
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on localhost (127.0.0.1):
Port State Protocol Service
21 open tcp ftp
22 open tcp ssh
TCP Sequence Prediction: Class=random positive increments
Difficulty=1317278 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.1.132; 2.2.0-pre1 - 2.2.2
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
-------------------------------------------
The strange part was that during the nessus scan, nmap returned odd results.
First it gave a depressingly low difficulty score for the TCP Sequence
Prediction. Second, it told me that my TCP fingerprint didn't match the
database. That is what I found the most odd.
I was wondering if anyone else has seen this behavior, or can reproduce it.
The network connection was 10BaseT to OC3 to 10BaseT under very normal
load (>12000 hosts).
Thanks,
Benjamin Karas
This archive was generated by hypermail 2a24 : Fri Dec 03 1999 - 19:07:34 MST