Intrusion Detection FAQ: RPC and NMAP Patterns

Some of the RPC scanning activity is probably generated by NMAP, Daniel Ayers describes the tool and its pattern on the net in this analysis brief.

NMAP (by Fyodor, http://www.insecure.org/nmap/) is a flexible and widely used UNIX-based network scanner. It supports a range of scanning modes (standard TCP connect(), SYN, FIN, etc) and is also capable of detecting the type of host being scanned using TCP stack fingerprinting.

Recently, NMAP was enhanced further to support scanning for RPC services. NMAP bypasses the portmapper and submits RPC queries direct to any open TCP or UDP ports. RPC scans may be combined with TCP and UDP scans.

Let's start by looking probably the most commonly used NMAP scanning mode, the SYN stealth scan. This is a standard SYN scan, using crafted SYN packets to solicit a SYN+ACK response from open ports on the scanned host.

Here's a sample NMAP SYN scan and associated tcpdump output:

 
% nmap -P0 -sS -p78-85 192.168.1.1

10:54:09 172.20.1.1.39769 > 192.168.1.1.80: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 48666)

10:54:09 172.20.1.1.39769 > 192.168.1.1.81: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 65179)

10:54:09 172.20.1.1.39769 > 192.168.1.1.84: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 42056)

10:54:09 172.20.1.1.39769 > 192.168.1.1.82: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 71)

10:54:09 172.20.1.1.39769 > 192.168.1.1.78: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 41568)

10:54:09 172.20.1.1.39769 > 192.168.1.1.83: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 36563)

10:54:09 172.20.1.1.39769 > 192.168.1.1.79: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 64848)

10:54:09 172.20.1.1.39769 > 192.168.1.1.85: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 6151)

10:54:09 192.168.1.1.80 > 172.20.1.1.39769: 

S 2955358057:2955358057(0) ack 2585925863 win 1072 

 (DF) (ttl 114, id 54406)

10:54:09 172.20.1.1.39769 > 192.168.1.1.80: 

R 2585925863:2585925863(0) win 0 (ttl 64, id 36132)

10:54:09 192.168.1.1.81 > 172.20.1.1.39769: 

S 2955357578:2955357578(0) ack 2585925863 win 1072 

 (DF) (ttl 114, id 54662)

10:54:09 172.20.1.1.39769 > 192.168.1.1.81: 

R 2585925863:2585925863(0) win 0 (ttl 64, id 51740)

10:54:09 172.20.1.1.39770 > 192.168.1.1.84: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 44955)

10:54:09 172.20.1.1.39770 > 192.168.1.1.82: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 57352)

10:54:09 172.20.1.1.39770 > 192.168.1.1.78: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 52295)

10:54:09 172.20.1.1.39770 > 192.168.1.1.83: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 40374)

10:54:09 172.20.1.1.39770 > 192.168.1.1.79: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 38718)

10:54:09 172.20.1.1.39770 > 192.168.1.1.85: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 40208)

10:54:09 172.20.1.1.39771 > 192.168.1.1.84: 

S 430816999:430816999(0) win 4096 (ttl 39, id 30314)

10:54:09 172.20.1.1.39771 > 192.168.1.1.82: 

S 430816999:430816999(0) win 4096 (ttl 39, id 39007)

10:54:09 172.20.1.1.39771 > 192.168.1.1.78: 

S 430816999:430816999(0) win 4096 (ttl 39, id 34872)

10:54:09 172.20.1.1.39771 > 192.168.1.1.83: 

S 430816999:430816999(0) win 4096 (ttl 39, id 30001)

10:54:09 172.20.1.1.39771 > 192.168.1.1.79: 

S 430816999:430816999(0) win 4096 (ttl 39, id 49973)

10:54:09 172.20.1.1.39771 > 192.168.1.1.85: 

S 430816999:430816999(0) win 4096 (ttl 39, id 44611)

10:54:10 172.20.1.1.39772 > 192.168.1.1.85: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 42377)

10:54:10 172.20.1.1.39772 > 192.168.1.1.79: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 41404)

10:54:10 172.20.1.1.39772 > 192.168.1.1.83: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 64048)

10:54:10 172.20.1.1.39772 > 192.168.1.1.78: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 43386)

10:54:10 172.20.1.1.39772 > 192.168.1.1.82: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 19858)

10:54:10 172.20.1.1.39772 > 192.168.1.1.84: 

S 2585925862:2585925862(0) win 4096 (ttl 39, id 29952)

10:54:10 172.20.1.1.39773 > 192.168.1.1.85: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 9274)

10:54:10 172.20.1.1.39773 > 192.168.1.1.79: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 20289)

10:54:10 172.20.1.1.39773 > 192.168.1.1.83: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 1730)

10:54:10 172.20.1.1.39773 > 192.168.1.1.78: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 39603)

10:54:10 172.20.1.1.39773 > 192.168.1.1.82: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 8480)

10:54:10 172.20.1.1.39773 > 192.168.1.1.84: 

S 1005570163:1005570163(0) win 4096 (ttl 39, id 41432)

10:54:10 172.20.1.1.39774 > 192.168.1.1.85: 

S 430816999:430816999(0) win 4096 (ttl 39, id 16491)

10:54:10 172.20.1.1.39774 > 192.168.1.1.79: 

S 430816999:430816999(0) win 4096 (ttl 39, id 36604)

10:54:10 172.20.1.1.39774 > 192.168.1.1.83: 

S 430816999:430816999(0) win 4096 (ttl 39, id 58110)

10:54:10 172.20.1.1.39774 > 192.168.1.1.78: 

S 430816999:430816999(0) win 4096 (ttl 39, id 61003)

10:54:10 172.20.1.1.39774 > 192.168.1.1.82: 

S 430816999:430816999(0) win 4096 (ttl 39, id 63609)

10:54:10 172.20.1.1.39774 > 192.168.1.1.84: 

S 430816999:430816999(0) win 4096 (ttl 39, id 46398)

This is a TCP SYN stealth scan between ports 78 and 85 against a machine known to be running web servers on ports 80 and 81. A SYN+ACK is received on 80 and 81 indicating that those ports are open on the target host. The scanning machine's TCP/IP stack responds with a RST because it is not aware of the connection (remember - the packets are crafted by NMAP).

Points to note about this trace:

Destination ports are in a random order. This is designed to confuse simple IDS systems.
Source port is constant for a few packets, and then increments.
ISN (Initial Sequence Numbers) are also constant for a few packets and then change, but the pattern repeats.
IP ID numbers are random.
TCP window sizes are constant during the scan. (Actually they window size is chosen randomly at the start of the scan and will always be 1024, 2048, 3072 or 4096 octets. This is another attempt to evade IDS systems).
The initial TTL is constant during the scan. (This trace was captured from the scanning machine. The initial TTL is also chosen randomly at the start of the scan, and will vary from 37 to 59. A further attempt to evade detection).

This pattern makes NMAP SYN scans quite easy to identify. The signature is so distinctive because NMAP performs the SYN scan using crafted packets.

NMAP performs the old-style TCP connect() scanning using the operating system TCP/IP stack and system calls. This actually makes NMAP TCP connect() scans much harder to identify in the wild because most of the parameters in the IP datagrams are set by the host TCP/IP stack. NMAP scans from different operating systems will look different.

Here is an NMAP TCP connect() scan from an OpenBSD 2.5 system:

n class=code> % nmap -P0 -sT -p78-85 192.168.1.1
10:56:19 172.20.1.1.20365 > 192.168.1.1.80:
S 4096531040:4096531040(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406102 0> (ttl 64, id 15568)
10:56:19 172.20.1.1.12145 > 192.168.1.1.79:
S 4096546916:4096546916(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406102 0> (ttl 64, id 5534)
10:56:19 172.20.1.1.18707 > 192.168.1.1.83:
S 4096554384:4096554384(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406102 0> (ttl 64, id 30006)
10:56:19 172.20.1.1.11496 > 192.168.1.1.85:
S 4096604988:4096604988(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406102 0> (ttl 64, id 25118)
10:56:19 172.20.1.1.34877 > 192.168.1.1.81:
S 4096663100:4096663100(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406102 0> (ttl 64, id 26945)
10:56:19 172.20.1.1.8426 > 192.168.1.1.78:
S 4096677617:4096677617(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406102 0> (ttl 64, id 10613)
10:56:19 172.20.1.1.48206 > 192.168.1.1.84:
S 4096712665:4096712665(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406102 0> (ttl 64, id 1824)
10:56:19 172.20.1.1.43184 > 192.168.1.1.82:
S 4096765358:4096765358(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406102 0> (ttl 64, id 20815)
10:56:20 192.168.1.1.80 > 172.20.1.1.20365:
S 2955488721:2955488721(0) ack 4096531041 win 1024
<mss 1460> (DF) (ttl 114, id 9608)
10:56:20 172.20.1.1.20365 > 192.168.1.1.80:
. ack 1 win 16384 (ttl 64, id 406)
10:56:20 172.20.1.1.20365 > 192.168.1.1.80:
R 1:1(0) ack 1 win 0 (ttl 64, id 31087)
10:56:20 192.168.1.1.81 > 172.20.1.1.34877:
S 2955488364:2955488364(0) ack 4096663101 win 1024
<mss 1460> (DF) (ttl 114, id 9864)
10:56:20 172.20.1.1.34877 > 192.168.1.1.81:
. ack 1 win 16384 (ttl 64, id 10544)
10:56:20 172.20.1.1.34877 > 192.168.1.1.81:
R 1:1(0) ack 1 win 0 (ttl 64, id 29338)
10:56:20 172.20.1.1.35736 > 192.168.1.1.79:
S 4096829741:4096829741(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406103 0> (ttl 64, id 16211)
10:56:20 172.20.1.1.23922 > 192.168.1.1.83:
S 4096888063:4096888063(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406103 0> (ttl 64, id 11439)
10:56:20 172.20.1.1.9977 > 192.168.1.1.85:
S 4096930837:4096930837(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406103 0> (ttl 64, id 16913)
10:56:20 172.20.1.1.30364 > 192.168.1.1.78:
S 4096931462:4096931462(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406103 0> (ttl 64, id 4560)
10:56:20 172.20.1.1.16933 > 192.168.1.1.84:
S 4096965847:4096965847(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406103 0> (ttl 64, id 12154)
10:56:20 172.20.1.1.19365 > 192.168.1.1.82:
S 4097007100:4097007100(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406103 0> (ttl 64, id 23414)
10:56:20 172.20.1.1.8558 > 192.168.1.1.79:
S 4097072333:4097072333(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 30979)
10:56:20 172.20.1.1.10392 > 192.168.1.1.83:
S 4097114681:4097114681(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 23805)
10:56:20 172.20.1.1.45297 > 192.168.1.1.85:
S 4097170862:4097170862(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 16011)
10:56:20 172.20.1.1.13264 > 192.168.1.1.78:
S 4097221243:4097221243(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 17356)
10:56:20 172.20.1.1.38705 > 192.168.1.1.84:
S 4097226803:4097226803(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 28926)
10:56:20 172.20.1.1.21255 > 192.168.1.1.82:
S 4097235392:4097235392(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 2097)
10:56:20 172.20.1.1.12105 > 192.168.1.1.82:
S 4097251193:4097251193(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 2880)
10:56:20 172.20.1.1.43229 > 192.168.1.1.84:
S 4097258290:4097258290(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 5538)
10:56:20 172.20.1.1.30085 > 192.168.1.1.78:
S 4097300637:4097300637(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 13978)
10:56:20 172.20.1.1.2161 > 192.168.1.1.85:
S 4097312766:4097312766(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 31544)
10:56:20 172.20.1.1.22608 > 192.168.1.1.83:
S 4097357637:4097357637(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 7895)
10:56:20 172.20.1.1.16605 > 192.168.1.1.79:
S 4097410745:4097410745(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406104 0> (ttl 64, id 26786)
10:56:21 172.20.1.1.7455 > 192.168.1.1.82:
S 4097471276:4097471276(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406105 0> (ttl 64, id 29609)
10:56:21 172.20.1.1.38963 > 192.168.1.1.84:
S 4097510285:4097510285(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406105 0> (ttl 64, id 26241)
10:56:21 172.20.1.1.32922 > 192.168.1.1.78:
S 4097523123:4097523123(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406105 0> (ttl 64, id 17252)
10:56:21 172.20.1.1.41428 > 192.168.1.1.85:
S 4097541252:4097541252(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406105 0> (ttl 64, id 14265)
10:56:21 172.20.1.1.35884 > 192.168.1.1.83:
S 4097545052:4097545052(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406105 0> (ttl 64, id 1832)
10:56:21 172.20.1.1.40400 > 192.168.1.1.79:
S 4097565579:4097565579(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406105 0> (ttl 64, id 18442)
10:56:21 172.20.1.1.25181 > 192.168.1.1.82:
S 4097617854:4097617854(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406106 0> (ttl 64, id 2438)
10:56:21 172.20.1.1.37460 > 192.168.1.1.84:
S 4097669306:4097669306(0) win 16384
<mss 512,nop,wscale 0,nop,nop,timestamp 406106 0> (ttl 64, id 548)

Note that:

Destination ports are still in a random order.
Source port is random. This is normal OpenBSD behaviour. Many systems will simply increment the source port.
ISNs increment as they should.
IP IDs are random - normal OpenBSD behaviour. Many systems just increment the IP ID when a datagram is transmitted.
TCP window size is 16384 octets, and there are many TCP options included in the connection request. Again, this is OpenBSD behaviour and is not related to NMAP.
The initial TTL, set by OpenBSD, is 64.

Clearly it will be easier to identify the host OS in this scan (OpenBSD) than the tool in use (NMAP).

Notice that the connections on ports 80 and 81 come fully open, but no data is transmitted. (The numbers in brackets following the sequence numbers is the number of TCP data octets in the packet. All are zero in this example). The successful connection will often result in a log entry on the scanned host, which is why connect() scanning is considered "less stealthy".

If a TCP or UDP scan is combined with an RPC scan, the TCP/UDP scan occurs first and any open ports discovered are probed for RPCs. The RPC probes are full TCP connections (via connect(), not crafted packets) and data is sent down the connection in the form of RPC requests.

Here is an example of a scan for TCP RPC services. (This example is actually the second half of the first example, the SYN scan):

% nmap -P0 -sS -sR -p78-85 192.168.1.1

(The initial TCP SYN scan has been omitted, 

it's actually the first example above).



10:54:11 172.20.1.1.29850 > 192.168.1.1.80: 

S 4088233511:4088233511(0) win 16384 

<mss 512,nop,wscale 0,nop,nop,timestamp 405845 0> (ttl 64, id 60806)

10:54:11 192.168.1.1.80 > 172.20.1.1.29850: 

S 2955359978:2955359978(0) ack 4088233512 win 1024 

<mss 1460> (DF) (ttl 114, id 55174)

10:54:11 172.20.1.1.29850 > 192.168.1.1.80: 

. ack 1 win 16384 (ttl 64, id 41143)

10:54:11 172.20.1.1.29850 > 192.168.1.1.80: 

P 1:45(44) ack 1 win 16384 (ttl 64, id 39834)

10:54:11 192.168.1.1.80 > 172.20.1.1.29850: 

. ack 45 win 8148 (DF) (ttl 114, id 55430)

10:54:11 172.20.1.1.29850 > 192.168.1.1.80: 

P 45:89(44) ack 1 win 16384 (ttl 64, id 35625)

10:54:11 192.168.1.1.80 > 172.20.1.1.29850: 

. ack 89 win 8104 (DF) (ttl 114, id 55686)

10:54:11 172.20.1.1.29850 > 192.168.1.1.80:
 
P 89:133(44) ack 1 win 16384 (ttl 64, id 56253)

10:54:11 192.168.1.1.80 > 172.20.1.1.29850: 

. ack 133 win 8060 (DF) (ttl 114, id 55942)

10:54:11 172.20.1.1.29850 > 192.168.1.1.80: 

P 133:177(44) ack 1 win 16384 (ttl 64, id 56726)

10:54:12 192.168.1.1.80 > 172.20.1.1.29850: 

. ack 177 win 8016 (DF) (ttl 114, id 57990)

10:54:12 172.20.1.1.29850 > 192.168.1.1.80: 

P 177:221(44) ack 1 win 16384 (ttl 64, id 54946)

10:54:12 192.168.1.1.80 > 172.20.1.1.29850: 

. ack 221 win 7972 (DF) (ttl 114, id 58246)

10:54:12 172.20.1.1.29850 > 192.168.1.1.80: 

P 221:265(44) ack 1 win 16384 (ttl 64, id 36575)

10:54:12 192.168.1.1.80 > 172.20.1.1.29850: 

. ack 265 win 7928 (DF) (ttl 114, id 58758)

10:54:12 172.20.1.1.29850 > 192.168.1.1.80: 

F 265:265(0) ack 1 win 16384 (ttl 64, id 56851)

10:54:12 172.20.1.1.19353 > 192.168.1.1.81: 

S 4088366234:4088366234(0) win 16384 

&t;mss 512,nop,wscale 0,nop,nop,timestamp 405848 0> (ttl 64, id 37869)

10:54:12 192.168.1.1.80 > 172.20.1.1.29850: 

. ack 266 win 7928 (DF) (ttl 114, id 59014)

10:54:12 192.168.1.1.80 > 172.20.1.1.29850: 

F 1:1(0) ack 266 win 1024 (DF) (ttl 114, id 59270)

10:54:12 172.20.1.1.29850 > 192.168.1.1.80: 

. ack 2 win 16384 (ttl 64, id 49919)

10:54:12 192.168.1.1.81 > 172.20.1.1.19353: 

S 2955361092:2955361092(0) ack 4088366235 win 1024 

<mss 1460> (DF) (ttl 114, id 59526)

10:54:12 172.20.1.1.19353 > 192.168.1.1.81: 

. ack 1 win 16384 (ttl 64, id 54223)

10:54:12 172.20.1.1.19353 > 192.168.1.1.81: 

P 1:45(44) ack 1 win 16384 (ttl 64, id 43662)

10:54:12 192.168.1.1.81 > 172.20.1.1.19353: 

. ack 45 win 8148 (DF) (ttl 114, id 60038)

10:54:12 172.20.1.1.19353 > 192.168.1.1.81:
 
P 45:89(44) ack 1 win 16384 (ttl 64, id 36845)

10:54:13 192.168.1.1.81 > 172.20.1.1.19353: 

. ack 89 win 8104 (DF) (ttl 114, id 60294)

10:54:13 172.20.1.1.19353 > 192.168.1.1.81:
 
P 89:133(44) ack 1 win 16384 (ttl 64, id 60612)

10:54:13 192.168.1.1.81 > 172.20.1.1.19353: 

. ack 133 win 8060 (DF) (ttl 114, id 60550)

10:54:13 172.20.1.1.19353 > 192.168.1.1.81: 

P 133:177(44) ack 1 win 16384 (ttl 64, id 56541)

10:54:13 192.168.1.1.81 > 172.20.1.1.19353: 

. ack 177 win 8016 (DF) (ttl 114, id 60806)

10:54:13 172.20.1.1.19353 > 192.168.1.1.81: 

P 177:221(44) ack 1 win 16384 (ttl 64, id 51499)

10:54:13 192.168.1.1.81 > 172.20.1.1.19353: 

. ack 221 win 7972 (DF) (ttl 114, id 61062)

10:54:13 172.20.1.1.19353 > 192.168.1.1.81: 

P 221:265(44) ack 1 win 16384 (ttl 64, id 47774)

10:54:14 192.168.1.1.81 > 172.20.1.1.19353: 

. ack 265 win 7928 (DF) (ttl 114, id 61318)

10:54:14 172.20.1.1.19353 > 192.168.1.1.81: 

F 265:265(0) ack 1 win 16384 (ttl 64, id 51221)

10:54:14 192.168.1.1.81 > 172.20.1.1.19353: 

. ack 266 win 7928 (DF) (ttl 114, id 61574)

10:54:14 192.168.1.1.81 > 172.20.1.1.19353: 

P 1:225(224) ack 266 win 7928 (DF) (ttl 114, id 61830)

10:54:14 172.20.1.1.19353 > 192.168.1.1.81: 

R 4088366500:4088366500(0) win 0 (ttl 64, id 36847)

10:54:14 192.168.1.1.81 > 172.20.1.1.19353: 

F 225:225(0) ack 266 win 1024 (DF) (ttl 114, id 62086)

10:54:14 172.20.1.1.19353 > 192.168.1.1.81: 

R 4088366500:4088366500(0) win 0 (ttl 64, id 58127)

Notice that:

As the TCP connections are initiated through the host TCP/IP stack, many parameters of the datagrams follow the host's characteristics rather than the tool's - just as for the connect() TCP scan.
Connections are only attempted on those ports that were determined by the first part of the scan to be open - in this case, ports 80 and 81.
The connections come fully open AND DATA IS SENT. (Notice that the numbers in brackets after the sequence numbers are nonzero and the relative sequence numbers increase during the connection). You generally see little or no data being sent by the scanned system in response, unless the connection is actually an RPC program.

SUMMARY

-------

NMAP stealth SYN TCP scans are fairly easy to identify in the wild.

NMAP TCP connect() and RPC scans are harder to identify in themselves, but there are a few big clues to watch out for:

A full port scan (TCP connect(), SYN, etc) followed by a second scan only of the ports you have open.
A port scan where the same data is sent to each open port.

If you see both of those at the same time, that is a really big clue that someone is using NMAP to find out about your RPC services.

For completeness, the following is a hex dump of NMAP's scanning of one of the TCP ports for RPC services. (This was a web server, so there were no RPC services present).

10:54:11.209054 172.20.1.1.29850 > 

192.168.1.1.80: P 1:45(44) ack 1 win 16384 (ttl 64, id 39834)

4500 0054 9b9a 0000 4006 20a9 ac14 0101

c0a8 0101 749a 0050 f3ad 7e28 b027 36eb

5018 4000 7053 0000 8000 0028 ee73 81af

0000 0000 0000 0002 0001 86ad 0003 fc18

0000 0000 0000 0000 0000 0000 0000 0000

0000 0000

10:54:11.375337 192.168.1.1.80 > 

172.20.1.1.29850: . ack 45 win 8148 (DF) (ttl 114, id 55430)

4500 0028 d886 4000 7206 71e8 c0a8 0101

ac14 0101 0050 749a b027 36eb f3ad 7e54

5010 1fd4 03a0 0000 6d6e 6f70 7172

10:54:11.375377 172.20.1.1.29850 > 

192.168.1.1.80: P 45:89(44) ack 1 win 16384 (ttl 64, id 35625)

4500 0054 8b29 0000 4006 311a ac14 0101

c0a8 0101 749a 0050 f3ad 7e54 b027 36eb

5018 4000 6ff5 0000 8000 0028 ee73 81b0

0000 0000 0000 0002 0001 86de 0003 fc18

0000 0000 0000 0000 0000 0000 0000 0000

0000 0000

10:54:11.594473 192.168.1.1.80 > 

172.20.1.1.29850: . ack 89 win 8104 (DF) (ttl 114, id 55686)

4500 0028 d986 4000 7206 70e8 c0a8 0101

ac14 0101 0050 749a b027 36eb f3ad 7e80

5010 1fa8 03a0 0000 4745 5420 2f69

10:54:11.594512 172.20.1.1.29850 > 

192.168.1.1.80: P 89:133(44) ack 1 win 16384 (ttl 64, id 56253)

4500 0054 dbbd 0000 4006 e085 ac14 0101

c0a8 0101 749a 0050 f3ad 7e80 b027 36eb

5018 4000 2ffc 0000 8000 0028 2e73 81af

0000 0000 0000 0002 0001 86ad 0003 fc18

0000 0000 0000 0000 0000 0000 0000 0000

0000 0000

10:54:11.812729 192.168.1.1.80 > 

172.20.1.1.29850: . ack 133 win 8060 (DF) (ttl 114, id 55942)

4500 0028 da86 4000 7206 6fe8 c0a8 0101

ac14 0101 0050 749a b027 36eb f3ad 7eac

5010 1f7c 03a0 0000 6d6e 6f70 7172

10:54:11.812765 172.20.1.1.29850 > 

192.168.1.1.80: P 133:177(44) ack 1 win 16384 (ttl 64, id 56726)

4500 0054 dd96 0000 4006 deac ac14 0101

c0a8 0101 749a 0050 f3ad 7eac b027 36eb

5018 4000 2f9e 0000 8000 0028 2e73 81b0

0000 0000 0000 0002 0001 86de 0003 fc18

0000 0000 0000 0000 0000 0000 0000 0000

0000 0000

10:54:12.031366 192.168.1.1.80 > 

172.20.1.1.29850: . ack 177 win 8016 (DF) (ttl 114, id 57990)

4500 0028 e286 4000 7206 67e8 c0a8 0101

ac14 0101 0050 749a b027 36eb f3ad 7ed8

5010 1f50 03a0 0000 0204 05b4 2f69

10:54:12.106707 172.20.1.1.29850 > 

192.168.1.1.80: P 177:221(44) ack 1 win 16384 (ttl 64, id 54946)

4500 0054 d6a2 0000 4006 e5a0 ac14 0101

c0a8 0101 749a 0050 f3ad 7ed8 b027 36eb

5018 4000 efa3 0000 8000 0028 6e73 81af

0000 0000 0000 0002 0001 86ad 0003 fc18

0000 0000 0000 0000 0000 0000 0000 0000

0000 0000

10:54:12.359741 192.168.1.1.80 > 

172.20.1.1.29850: . ack 221 win 7972 (DF) (ttl 114, id 58246)

4500 0028 e386 4000 7206 66e8 c0a8 0101

ac14 0101 0050 749a b027 36eb f3ad 7f04

5010 1f24 03a0 0000 0204 05b4 664b

10:54:12.359776 172.20.1.1.29850 > 

192.168.1.1.80: P 221:265(44) ack 1 win 16384 (ttl 64, id 36575)

4500 0054 8edf 0000 4006 2d64 ac14 0101

c0a8 0101 749a 0050 f3ad 7f04 b027 36eb

5018 4000 ef45 0000 8000 0028 6e73 81b0

0000 0000 0000 0002 0001 86de 0003 fc18

0000 0000 0000 0000 0000 0000 0000 0000

0000 0000

10:54:12.579418 192.168.1.1.80 > 

172.20.1.1.29850: . ack 265 win 7928 (DF) (ttl 114, id 58758)

4500 0028 e586 4000 7206 64e8 c0a8 0101

ac14 0101 0050 749a b027 36eb f3ad 7f30

5010 1ef8 03a0 0000 6d6e 6f70 7172

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >

Check Them Out!

Opened my eyes to things that I thought I already knew, and I'm already learning new material on day 1
-Anthony Fischer, Front Porch, Inc.

Intrusion Detection FAQ: RPC and NMAP Patterns

SUMMARY

Check Them Out!

Latest Whitepapers

Latest Tweets

Contact Us