How to Packet FingerPrinting with Wireshark & Detecting Nmap Scans

~ TCP SYN scan === nmap -sS
Explanation: Sends a SYN packet to an IP’s ports
~ TCP Christmas Scan === nmap -sX
Explanation: Sends a TCP packet with the flags PSH, URG, and FIN set
~ TCP Null Scan === nmap -sN
Explanation: Sends NO TCP flags (easy to detect)
~ TCP FIN Scan === nmap -sF
Explanation: Sends only a TCP FIN header
Run an NMap Scan and Look at Packets
1. Nmap SYN Scan (nmap -sS -v -n 192.168.1.1):
Alrightm so here is what the scan looks like in wireshark:
Let’s look at the coloring rule and see why each is which. This is very easy.
Make sure the “Packet Details” panel is available. Click View -> Packet Details
The red is simple. It’s just a RST (reset) or RST ACK packet
Alright, now click on the packet you’d like to see and expand the “Frame” tag. Then you can look at the colorize rule and see exactly why it’s colored the way it is.
We can see that all of this grey is a TCP SYN packet. Hopefully you know that SYN requests are very common throught a network. When initiating a TCP connection (every time you visit a website), a SYN request is sent. So what makes this SYN request different than a normal SYN request?
NMAP SYN scans have a TCP window size of:
– 1024
– 2048
– 3072
– 4096
while normal SYN window sizes are usually much larger and vary constantly. So this is our key! We can also note that the FIN header is always on.
So, let’s write a rule. Here are some things you should note:
&& = and. Ex: tcp && udp = that will show something that has both TCP and UDP protocols
|| = or. Ex: tcp || udp = this will show anything that is either TCP OR UDP
! = not. Ex: !tcp = this will show everything that is NOT TCP protocol
That’s pretty much it!
So we know that it is TCP so let’s just make sure it’s TCP:
tcp
Alright. So we also know that the TCP FIN header is also on. So let’s write that as well:
tcp && tcp.flags.fin ==1
Alright, this may be just a little confusing if you’re not a coder. Basically, we want to see if the window size is any of the aforementioned window sizes. If any of them match (they can’t all match) then this will definitively prove a SYN scan without much chance for false positive. We are going to set this aside with () and will use || inside them. Let’s see:
tcp && tcp.flags.fin ==1 && (tcp.window_size==1024 || tcp.window_size==2048 || tcp.window_size==3072 || tcp.window_size==4096)
Here I show a real SYN request (grey) and a NMap SYN request (orange).
There we go! We have finished our first scan!!! Now we can detect a very basic TCP SYN Scan!!! Hoorah!
2. Christmas Scan (nmap -sX -v -n 192.168.1.1):
Alright, let’s see the packet as we scan it. Open any packet you find and look at the packet details 🙂
What do we notice?
- Flag size = 0x29 in hex in EVERY PACKET
- PSH, URG, FIN set in EVERY PACKET
- It runs on TCP
Alright, lt’s go ahead and write a simple rule based on what we’ve noticed:
It’s TCP only, right? Yes.
tcp
Now lets make sure the flag size is 0x29
tcp && tcp.flags==0x29
Now, lastly, we need to specify the headers that are set:
txp && tcp.flags==0x29 && tcp.flags.fin==1 && tcp.flags.push==1 && tcp.flags.urg==1
And that’s our rule! That will detect a Xmas scan!
3. TCP Null Scan (nmap -sN -v -n 192.168.1.1):
This is a very obvious one to detect…
What do you notice?
- TCP Flags is 0. There are NONE SET
- Winddow size is the same as all the others (1024, 2048, 3072, 4096)
Again, let’s write the rule.
tcp
tcp && tcp.flags==0x00 && (tcp.window_size==1024 || tcp.window_size==2048 || tcp.window_size==3072 || tcp.window_size==4096)
Now you can follow the last 2 tutorials to add your own color-coded scheme 🙂
This one I want you to do yourself!
First write what you notice. Once you’re done, open the spoiler and see if you get the same things I have:
I noticed:
- Flags = 0x001
- Only the FIN bit is set
- Runs on TCP
- Windows size (1024, 2048, 3072, 4096)
Okay, once you’ve done that, try and write a simple rule!
Here is my final result
tcp.flags==0x01 && tcp.flags.fin==1 && (tcp.window_size==1024 || tcp.window_size==2048 || tcp.window_size==3072 || tcp.window_size==4096)