CERT® Incident Note IN-98.04The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Advanced ScanningTuesday, September 29, 1998
We have received reports of two scanning techniques being used by intruders to map networks and identify systems:
Stealth ScanningThe "stealth" scans appear to have a common goal: to gather information about target sites while avoiding detection by using techniques that might be overlooked by intrusion detection systems and system administrators. These techniques include
In an 'Inverse Mapping' scan, intruders send packets that normally would go unnoticed or cause no unusual behavior to a list of addresses. For hosts that do not exist, however, routers will return an ICMP host unreachable message. By determining what hosts do not exist, an intruder can infer what hosts do exist, and so gain information about the structure of your network.
Any packet type can be used to generate the ICMP host unreachable message, but we have received reports that intruders are actively using RESET packets, SYN-ACK packets, and DNS response packets for which no query was ever made.
Scanning to Identify System or Network ArchitectureIntruders have also employed scanning techniques to identify the operating system used by a particular host, or to determine information about the structure of the target network. A tool recently released, called queso, relies on the variations in response to unexpected packets to determine the operating system of a particular host.
That is, queso sends unexpected packets to a host and examines the response. Because the packets are unexpected, there is no standard response, and so each operating system is free to respond in a unique way. By examining the responses to these unexpected packets, queso can determine the kinds of operating systems and TCP/IP stacks installed on your network. This information can be used by an intruder to optimize attacks on your network, or to identify sets of machines with particular vulnerabilities.
This is similar in effect to the scans described in
except that queso recognizes a variety of operating systems, whereas the scans described in Incident Note 98.01 recognized only IRIX.
The following excerpt from tcpdump shows a queso probe against a machine running Solaris 2.5.1. (Information in boldface type indicates the target system's first response packet.)
server.24728 > solaris1.local.10.in-addr.arpa.telnet: S 1119794168:1119794168(0)
The following excerpt, also from tcpdump, shows a queso probe against a machine running NT Workstation 4.0:
server.5856 > ntwork1.nt.local.netbios-ssn: S 1276897729:1276897729(0)
Note that the responses of the two operating systems differ as early as the first response packet (highlighted above). By comparing these differences to a dictionary of known response characteristics, queso is often able to determine the type of operating system employed by the target machine. Users can also extend queso to distinguish other kinds of operating systems, or other devices that will respond to TCP/IP packets.
We have received reports of incidents in which intruders have launched coordinated scans that may have been used to discover information about the structure of the target network. By launching similar scans from two or more distinct networks against a single target network, and then comparing the different responses, intruders may be able to infer information about the structure of the target network. By using two or more networks to launch a scan against a third network, an intruder can
ConclusionIntruders are using a variety of techniques to gain information about networks and systems on those networks. Intruders can use this information to tailor their attacks to target networks or to find a set of machines that share a certain vulnerability.
Intruders have recently used a number of very large-scale scans of the Internet looking for certain vulnerabilities, such as those discussed in
The ability to determine the types of operating systems in use helps intruders to focus their attacks on certain types of machines, or to modify their attacks to suit the target.
Do not presume that the topology of your network, the operating systems in use, the products used to connect to the Internet, and other externally visible characteristics are a secret. When you evaluate the security of your network, remember that this information can be discovered by intruders who can use it to their advantage.
AcknowledgementsOur thanks to Stephen Northcutt of the Naval Surface Warfare Center for his assistance.
This document is available from: http://www.cert.org/incident_notes/IN-98.04.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1998 Carnegie Mellon University.