Mari kita kaji sedikit portscan ni agar faham bagaimana sebenarnye sifat/fungsi/method ade 5 tools saya buat experimen  iaitu nmap/unicornscan/mz/sinfp/acunetix

Apks(advanced portknocking) http://www.portknocking.org/view/implementations

 Kita nulakan dgn portscan utk Tcp Layer dibawah adalah tcp frame

 Pengenalan  Advanced Port Knocking (default conf apks.conf)
README
FIELDS
======

NOTE : When specified * can be used as a wildcard to match any value.

TYPE => E:ENTRY F:FOLLOW
     The TYPE field is designed to sepcify which rules are entry point to the scenarii.
     E : The rule is an entry point
     F : The rule is one of the steps in a scenario

ID   => INTEGER > 0
     This is the field used to identify the rule. It must be unique and not null.

TTL  => INTEGER | *
     A packet will match if its TTL is equal to the value.

SOURCE => IP ADDRESS | *
     A packet will match if its source IP address is equal to the value.

SPORT => INTEGER | *
    A packet will match if its source TCP port is equal to the value.

DPORT => INTEGER | *
    A packet will match if its destination TCP port is equal to the value.

SEQ => INTEGER | *
    A packet will match if its SYN sequence number is equal to the value.
   
SEQ_ACK => INTEGER | *
    A packet will match if its ACK sequence number is equal to the value.
   
URG ACK PSH RST SYN FIN => 0 | 1 | *
    A packet will match if the the corresponding TCP flag is set (1) or not set (0).

WIN => INTEGER | *
    A packet will match if the TCP window size is equal to the value.

DATA => quoted STRING | *
    This field is only used to transfer data. No match is performed on it. Yes it is useless, but mandatory.

ACTION => NEXT(INTEGER | $ref) | CMD(STRING with $ref) | RST
    The action field tells the program what to do if the rule matches.
    - NEXT : The next rule to be matched in order to follow the scenario, identified by its ID.
         o It may be an integer corresponding to the ID of the rule.
         o It may be the reference of another field (ex: %WIN refers to the value of the TCP window size)  
    - CMD : The command to be launched.
         o It may be a plain text
         o It may refer to another field (%DATA)
         o It may be a mix (ex: ifconfig eth%FIN > /tmp/listdir)
    - RST : The running scenario is reset.

KEY => STRING
    The key used to decrypt the DATA field.

RULES : EXEMPLES
================

E  1  *   *   1  5  *  *  *  *  *  *  1  *  *  *  CMD("/etc/init.d/sshd start") NULL
This rule is an Entry rule with ID 1. It means that if a packet with a source port of 1, a destination port of 5 and the SYN flag set to 1, tne program will launch SSH.

E  2  *   *   2  5  *  *  *  *  *  *  0  1  *  *  NEXT(3) NULL
F  3  *   *   *  9  *  *  *  *  *  1  *  0  *  *  CMD("/etc/init.d/sshd start") NULL
The first line (rule ID 2) is an entry rule. A packet with a source TCP port of 2, a destination port of 5, the SYN flag not set and the FIN flag set will load the rule with ID 3.
The second line (rule ID 3) is a rule that will be tested ONLY if it has been loaded by another rule (here with ID 2). Then if a packet with a destination port of 9, the RST flag set and the FIN flag not set is received the SSH server will be launched.

E  4  *  *  5  5  *  *  *  *  *  *  *  *  *  *  RST  NULL
If a packet with TCP source and desnation ports of 5 is received the scenario engine is reset. As an exemple if this packet is received after a packet matching the rule with ID 2 (see example above), the rule with ID 3 is unloaded. Then a packet matching the rule 3 will not be interpreted.

E  5  *  *  6  5  *  *  *  *  *  *  0  1  *  *  NEXT(%SPORT)         NULL
F  6  *  *  3  5  *  *  *  *  *  *  1  1  *  *  NEXT(%SEQ)           NULL
F  7  *  *  1  5  *  *  *  *  *  *  1  *  *  *  CMD("ls -al 1>&2")   NULL
The Entry rule of this scenario is the rule with ID 5. If a packet matches then the rule with the ID correcponding to the TCP source port will be loaded (here it can only be the rule with ID 6). The rule 6 is a follow rule. If a packet matches this rule the next rule to be loaded will be the rule with the ID equals to the SYN sequence number in the packet. Let's say we had this value set to 7. Then the rule with 7 ID will be loaded, allowing list the running directory if a third packet matches the criteria of rule 7.

 #TYPE ID TTL SOURCE SPORT DPORT SEQ SEQ_ACK URG ACK PSH RST SYN FIN WIN DATA ACTION KEY #COMMENTS
 #TYPE    => E:ENTRY F:FOLLOW X:INTERRUPT
 #ID      => INTEGER > 0;
 #TTL     => INTEGER | *
 #SOURCE  => IP | *
 #SPORT,DPORT   => INTEGER | *
 #SEQ     => INTEGER | *
 #SEQ_ACK => INTEGER | *
 #URG,ACK,PSH,RST,SYN,FIN     => 0 | 1 | *
 #WIN     => INTEGER | *
 #DATA    => STRING or * -- not used for filtering
 #ACTION  => NEXT(INTEGER | $ref), CMD(STRING | $ref), RST
 #KEY     => STRING or NULL

 #TYPE ID TTL SOURCE SPORT DPORT SEQ SEQ_ACK URG ACK PSH RST SYN FIN WIN DATA  ACTION        

         E     1    *            *             1             *         *             *         *      *       *      *        1      *      *         *          CMD(%DATA)     
         E     2    *            *             3             5         *            *          *      *       *      *         0      1      *          *         NEXT(%SPORT)   NULL
         F     3    *            *             5             5         *            *          *      *       *      *        1       1      *         *         NEXT(%SEQ)     NULL
         F     4    *            *             1             5         5             *          *      *       *      *       *       *      *         *         CMD("halt")    NULL
         F     5    *            *             3             5          5           *           *       *       *      *       *      *      *         *         CMD("reboot")  NULL
         E     6    *            *            5              5          5            5          *       *       *      *       *      *      *         *         RST    NULL

Kata kan jika utk pertama kali mengguna apks saya akan jlnkan arahan spt dibawah:

#touch apks.conf1

#touch /var/log/apks.log

#vi apks.conf1

 E     1   *           *             *            *         *            *              *      *       *      *        *      *      *         *         CMD(NEXT) NULL

shiff zz or :wq!

kemudian runkan apks.pl -i eth0 -c apks.conf1  -v

#tail -f /var/log/apks.log

Setting dibuat hanya utk log analysis shj

Sample setting apks.conf1

Sample 1
##
E 1 64 * * 80 * * * * * * 1 * 5840 * NEXT(2) NULL
F 2 64 * * 80 * * * 1 * * * * 46 * CMD("/sbin/route add -host %SIP reject&") NULL
####
####
E 3 64 * * 23 * * * * * * 1 * 5840 * NEXT(4) NULL
F 4 64 * * 23 * * * 1 * * * * 46 * CMD("/usr/local/sbin/iptables -I FORWARD -s %SIP -j DROP&") NULL
###
Sample 2


E 1 * * * 21 * * * * * * 1 * * * NEXT(2 ) NULL


#####
E 2 64 * * 21 * * * * * * 1 *  * * CMD("/sbin/route add -host %SIP gw 333.444.555.666") NULL

") NULL


####
E 3 255 * * 21 * * * * * * 1 * 10000 * CMD("/usr/local/sbin/arp-sk -i eth1 -w -S %SIP --rand-arp-hwa-src -d 192.168.1.255 -c 2 -T 2&") NULL


###
E 4 128 * * 21 * * * * * * 1 * 1500 * CMD("iptables -A INPUT -p tcp -s %SIP --sport %SPORT -d 192.168.1.200 --dport %DPORT -j REJECT --reject-with tcp-reset") NULL


1st pc(192.168.1.2) --------------------------------->2nd(Pc 192.168.1.25) Disini Apks advanced portknocking dipasang sila lihat log for analysis port yg terbuka adalah 23 dan 80

Jika mengunakan -sT (connect scan)

Open port 80

#nmap -n -sT -P0 -p 80 192.168.1.25

3 handshake spt kita maklum bagi normal communication ialah spt berikut

tetapi bagi port scanner berbeza iaitu  full connectscan

          

######################################

  

  

#nmap -n -sT -P0 -p 80 192.168.1.25 (dari 1st pc)

#tail -f  apks.log(dari 2nd pc)

  192.168.1.2:60490 -> 192.168.1.25:80 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1053748444 SEQ_ACK: 0 WINDOW: 5840 TTL: 64

  192.168.1.2:60490 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1053748443 SEQ_ACK: -1272975707 WINDOW: 46 TTL: 64

  192.168.1.2:60490 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(1) SEQ: -1053748443 SEQ_ACK: -1272975707 WINDOW: 46 TTL: 64

  Open port 23

  #nmap -n -sT -P0 -p 23 192.168.1.25(dari 1st pc)

#tail -f  apks.log(dari 2nd pc)

  192.168.1.2:47255 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1310104775 SEQ_ACK: 0 WINDOW: 5840 TTL: 64

  192.168.1.2:47255 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: 1310104776 SEQ_ACK: -1181709419 WINDOW: 46 TTL: 64

  192.168.1.2:47255 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(1) SEQ: 1310104776 SEQ_ACK: -1181709419 WINDOW: 46 TTL: 64

      

  Jadi kita boleh setkan behaviour rule utk detect portscan ini iaitu bg connect scan

 Rule 1

 SYN(1) + SEQ_ACK:0

 ACK(1)

 RST(1) dan ACK(1)

 secara umumnye detection portscan ini adalah SYN + SEQ_ACK=0 + RST(1) dan ACK(1)

 

 Rule 2 (halfscan)

 SYN(1) +  SEQ_ACK: 0

 RST(1) + WINDOW: 0 + SEQ_ACK: 0

#nmap -n -sS -P0 -p 80 192.168.1.25

portscanner guna syn/halfscan 

  Bagi kes -sS (syn scan/half scan) open port 23

  ##nmap -n -sS -P0 -p 23 192.168.1.25

  192.168.1.2:40745 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1844563087 SEQ_ACK: 0 WINDOW: 4096 TTL: 51

  192.168.1.2:40745 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1844563088 SEQ_ACK: 0 WINDOW: 0 TTL: 64

 

  Open port 80

  ##nmap -n -sS -P0 -p 80 192.168.1.25

  192.168.1.2:45989 -> 192.168.1.25:80 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -2128536365 SEQ_ACK: 0 WINDOW: 2048 TTL: 41

  192.168.1.2:45989 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -2128536364 SEQ_ACK: 0 WINDOW: 0 TTL: 64

 

  Database dr pf.os iaitu dari p0f

  ##############################################################################################################################################

  pf.os

####################

 # Fancy signatures #

  ####################

  

###################

  1024:64:0:40:.:                                                        *NMAP:syn scan:1:NMAP syn scan (1)

  2048:64:0:40:.:                                                        *NMAP:syn scan:2:NMAP syn scan (2)

  3072:64:0:40:.:                                                        *NMAP:syn scan:3:NMAP syn scan (3)

  4096:64:0:40:.:                                                        *NMAP:syn scan:4:NMAP syn scan (4)

 

  # Requires quirks support

  # 1024:64:0:40:.:A:*NMAP:TCP sweep probe (1)

  # 2048:64:0:40:.:A:*NMAP:TCP sweep probe (2)

  # 3072:64:0:40:.:A:*NMAP:TCP sweep probe (3)

  # 4096:64:0:40:.:A:*NMAP:TCP sweep probe (4)

 

  1024:64:0:60:W10,N,M265,T:                  *NMAP:OS:1:NMAP OS detection probe (1)

  2048:64:0:60:W10,N,M265,T:                  *NMAP:OS:2:NMAP OS detection probe (2)

  3072:64:0:60:W10,N,M265,T:                  *NMAP:OS:3:NMAP OS detection probe (3)

  4096:64:0:60:W10,N,M265,T:                  *NMAP:OS:4:NMAP OS detection probe (4)

 

  #############################################################################################################################################

  Lihat behavior menguna portscan -O   

  Bagi SYN(1)  +  WINDOW: 4096

          SYN(1)  +  WINDOW: 2048

       SYN(1)  +  WINDOW: 3072

       SYN(1)  +  WINDOW: 1024

          SYN(1)  +  WINDOW: 1

          SYN(1)  +  WINDOW: 3

           SYN(1)  +  WINDOW: 4

          SYN(1)  +  WINDOW: 16

          SYN(1)  +  WINDOW: 63

          SYN(1)  +  WINDOW: 512

a. Sentiasa menghantar Syn packet dan window size yg tdk tetap 

b .Ade 4 tcp flag  yg disetkan iaitu sama src port dan PSH(1) SYN(1) FIN(1)  URG(1) dan ttl 37 to 58

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 256 TTL: 54

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 256 TTL: 51

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 256 TTL: 40

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 256 TTL: 37

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 256 TTL: 53

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 256 TTL: 51

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 256 TTL: 41

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 256 TTL: 41

  192.168.1.2:41301 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1452775829 SEQ_ACK: 0 WINDOW: 2048 TTL: 57

  192.168.1.2:41301 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1452775829 SEQ_ACK: 0 WINDOW: 3072 TTL: 58

  nmap -n -sS -P0 -O 192.168.1.25

  192.168.1.2:41292 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 797527913 SEQ_ACK: 0 WINDOW: 4096 TTL: 51

  192.168.1.2:41292 -> 192.168.1.25:80 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 797527913 SEQ_ACK: 0 WINDOW: 2048 TTL: 57

  #####

  192.168.1.2:41292 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 797527914 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41292 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 797527914 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  ############

  192.168.1.2:41303 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 780750441 SEQ_ACK: 0 WINDOW: 3072 TTL: 46

  192.168.1.2:41303 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 780750442 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  ##############

  192.168.1.2:41304 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 763972969 SEQ_ACK: 0 WINDOW: 1024 TTL: 52

  192.168.1.2:41304 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 763972970 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41305 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 747195497 SEQ_ACK: 0 WINDOW: 2048 TTL: 37

  192.168.1.2:41305 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 747195498 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41306 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 730418025 SEQ_ACK: 0 WINDOW: 3072 TTL: 50

  192.168.1.2:41306 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 730418026 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41546 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 1 TTL: 57

  192.168.1.2:41546 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1406884313 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41547 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884313 SEQ_ACK: 588739880 WINDOW: 63 TTL: 47

  192.168.1.2:41547 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1406884312 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41548 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884312 SEQ_ACK: 588739880 WINDOW: 4 TTL: 49

  192.168.1.2:41548 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1406884311 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41549 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884311 SEQ_ACK: 588739880 WINDOW: 4 TTL: 54

  192.168.1.2:41550 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884310 SEQ_ACK: 588739880 WINDOW: 16 TTL: 37

  192.168.1.2:41551 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884309 SEQ_ACK: 588739880 WINDOW: 512 TTL: 45

  192.168.1.2:41555 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 4 TTL: 51

  192.168.1.2:41555 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1406884313 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41556 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 16 TTL: 43

  192.168.1.2:41557 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 512 TTL: 56

  192.168.1.2:41558 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 0 WINDOW: 3 TTL: 57

  192.168.1.2:41560 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 128 TTL: 37

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 256 TTL: 54

  192.168.1.2:41562 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 1024 TTL: 57

  192.168.1.2:41556 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 16 TTL: 44

  192.168.1.2:41557 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 512 TTL: 46

  192.168.1.2:41558 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 0 WINDOW: 3 TTL: 41

  192.168.1.2:41560 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 128 TTL: 58

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 256 TTL: 51

  192.168.1.2:41556 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 16 TTL: 59

  192.168.1.2:41557 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 512 TTL: 49

  192.168.1.2:41558 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 0 WINDOW: 3 TTL: 55

  192.168.1.2:41560 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 128 TTL: 40

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 256 TTL: 40

  192.168.1.2:41556 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 16 TTL: 48

  192.168.1.2:41557 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 512 TTL: 59

  192.168.1.2:41557 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1406884313 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41558 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 0 WINDOW: 3 TTL: 54

  192.168.1.2:41560 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 128 TTL: 44

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1406884314 SEQ_ACK: 588739880 WINDOW: 256 TTL: 37

  192.168.1.2:41546 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 1 TTL: 57

  192.168.1.2:41546 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 681105249 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41547 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105249 SEQ_ACK: 822928373 WINDOW: 63 TTL: 44

  192.168.1.2:41548 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105250 SEQ_ACK: 822928373 WINDOW: 4 TTL: 40

  192.168.1.2:41548 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 681105251 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41549 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105251 SEQ_ACK: 822928373 WINDOW: 4 TTL: 51

  192.168.1.2:41550 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105252 SEQ_ACK: 822928373 WINDOW: 16 TTL: 59

  192.168.1.2:41551 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105253 SEQ_ACK: 822928373 WINDOW: 512 TTL: 46

  192.168.1.2:41553 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 63 TTL: 48

  192.168.1.2:41555 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 4 TTL: 54

  192.168.1.2:41556 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 16 TTL: 48

  192.168.1.2:41557 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 512 TTL: 45

  192.168.1.2:41558 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 0 WINDOW: 3 TTL: 37

  192.168.1.2:41560 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 128 TTL: 42

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 256 TTL: 53

  192.168.1.2:41562 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 1024 TTL: 47

  192.168.1.2:41553 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 63 TTL: 44

  192.168.1.2:41555 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 4 TTL: 50

  192.168.1.2:41556 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 16 TTL: 47

  192.168.1.2:41557 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 512 TTL: 37

  192.168.1.2:41558 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 0 WINDOW: 3 TTL: 42

  192.168.1.2:41558 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 681105249 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41560 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 128 TTL: 49

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 256 TTL: 51

  192.168.1.2:41553 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 63 TTL: 55

  192.168.1.2:41555 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 4 TTL: 47

  192.168.1.2:41556 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 16 TTL: 43

  192.168.1.2:41557 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 512 TTL: 50

  192.168.1.2:41557 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 681105249 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41560 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 128 TTL: 59

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 256 TTL: 41

  192.168.1.2:41553 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 63 TTL: 40

  192.168.1.2:41555 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 4 TTL: 42

  192.168.1.2:41556 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 16 TTL: 47

  192.168.1.2:41556 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 681105249 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41560 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 128 TTL: 43

  192.168.1.2:41561 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 681105248 SEQ_ACK: 822928373 WINDOW: 256 TTL: 41

  192.168.1.2:41299 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1452775829 SEQ_ACK: 0 WINDOW: 3072 TTL: 50

  192.168.1.2:41300 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1452775829 SEQ_ACK: 0 WINDOW: 2048 TTL: 53

  192.168.1.2:41301 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1452775829 SEQ_ACK: 0 WINDOW: 2048 TTL: 57

  192.168.1.2:41302 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1452775829 SEQ_ACK: 0 WINDOW: 2048 TTL: 53

  192.168.1.2:41299 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1452775829 SEQ_ACK: 0 WINDOW: 4096 TTL: 51

  192.168.1.2:41300 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1452775829 SEQ_ACK: 0 WINDOW: 4096 TTL: 59

  192.168.1.2:41301 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1452775829 SEQ_ACK: 0 WINDOW: 2048 TTL: 57

  192.168.1.2:41299 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1452775828 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:41300 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1452775829 SEQ_ACK: 0 WINDOW: 3072 TTL: 38

  192.168.1.2:41301 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1452775829 SEQ_ACK: 0 WINDOW: 3072 TTL: 58

  192.168.1.2:41293 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1452775828 SEQ_ACK: 0 WINDOW: 3072 TTL: 58

  192.168.1.2:41293 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1452775827 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  

 ##############################

  Lihat ade behavior yg sama dgn mengunakan -sS  iaitu bg nmap -n -sT -P0 -O 192.168.1.25

  192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 256 TTL: 50  

   192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 256 TTL: 55

   192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 256 TTL: 44

   192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 256 TTL: 49

   192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 256 TTL: 53

   192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 256 TTL: 37

    192.168.1.2:47197 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 1565637659 SEQ_ACK: 0 WINDOW: 2048 TTL: 45

    192.168.1.2:47197 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 1565637659 SEQ_ACK: 0 WINDOW: 1024 TTL: 52

 

###nmap -n -sT -P0 -O 192.168.1.25

 

  192.168.1.2:45112 -> 192.168.1.25:80 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1856887044 SEQ_ACK: 0 WINDOW: 5840 TTL: 64

  192.168.1.2:45112 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1856887043 SEQ_ACK: -1400159713 WINDOW: 46 TTL: 64

  192.168.1.2:45112 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(1) SEQ: -1856887043 SEQ_ACK: -1400159713 WINDOW: 46 TTL: 64

  192.168.1.2:60289 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1845059068 SEQ_ACK: 0 WINDOW: 5840 TTL: 64

  192.168.1.2:60289 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1845059067 SEQ_ACK: 958768781 WINDOW: 46 TTL: 64

  192.168.1.2:60289 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(1) SEQ: -1845059067 SEQ_ACK: 958768781 WINDOW: 46 TTL: 64

  192.168.1.2:45599 -> 192.168.1.25:80 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1775620735 SEQ_ACK: 0 WINDOW: 5840 TTL: 64

  192.168.1.2:45599 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1775620734 SEQ_ACK: 494791258 WINDOW: 46 TTL: 64

  192.168.1.2:45599 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(1) SEQ: -1775620734 SEQ_ACK: 494791258 WINDOW: 46 TTL: 64

  192.168.1.2:46350 -> 192.168.1.25:80 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1698470219 SEQ_ACK: 0 WINDOW: 5840 TTL: 64

  192.168.1.2:46350 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1698470218 SEQ_ACK: 1665281690 WINDOW: 46 TTL: 64

  192.168.1.2:46350 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(1) SEQ: -1698470218 SEQ_ACK: 1665281690 WINDOW: 46 TTL: 64

  192.168.1.2:47251 -> 192.168.1.25:80 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1609292535 SEQ_ACK: 0 WINDOW: 5840 TTL: 64

  192.168.1.2:47251 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1609292534 SEQ_ACK: -796057928 WINDOW: 46 TTL: 64

  192.168.1.2:47251 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(1) SEQ: -1609292534 SEQ_ACK: -796057928 WINDOW: 46 TTL: 64

  192.168.1.2:48302 -> 192.168.1.25:80 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1544596585 SEQ_ACK: 0 WINDOW: 5840 TTL: 64

  192.168.1.2:48302 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1544596584 SEQ_ACK: 1302218442 WINDOW: 46 TTL: 64

  192.168.1.2:48302 -> 192.168.1.25:80 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(1) SEQ: -1544596584 SEQ_ACK: 1302218442 WINDOW: 46 TTL: 64

  192.168.1.2:47245 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 1 TTL: 54

  192.168.1.2:47245 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1446374174 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47246 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374174 SEQ_ACK: 1005817350 WINDOW: 63 TTL: 39

  192.168.1.2:47246 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1446374173 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47247 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374173 SEQ_ACK: 1005817350 WINDOW: 4 TTL: 46

  192.168.1.2:47247 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1446374172 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47248 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374172 SEQ_ACK: 1005817350 WINDOW: 4 TTL: 54

  192.168.1.2:47248 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1446374171 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47249 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374171 SEQ_ACK: 1005817350 WINDOW: 16 TTL: 47

  192.168.1.2:47250 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374170 SEQ_ACK: 1005817350 WINDOW: 512 TTL: 42

  192.168.1.2:47255 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 16 TTL: 45

  192.168.1.2:47256 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 512 TTL: 43

  192.168.1.2:47257 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 0 WINDOW: 3 TTL: 55

  192.168.1.2:47259 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 128 TTL: 56

  192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 256 TTL: 50

  192.168.1.2:47261 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 1024 TTL: 42

  192.168.1.2:47255 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 16 TTL: 38

  192.168.1.2:47255 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1446374174 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47256 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 512 TTL: 39

  192.168.1.2:47257 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 0 WINDOW: 3 TTL: 50

  192.168.1.2:47259 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 128 TTL: 53

  192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 256 TTL: 55

  192.168.1.2:47256 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 512 TTL: 57

  192.168.1.2:47256 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1446374174 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47257 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 0 WINDOW: 3 TTL: 52

  192.168.1.2:47259 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 128 TTL: 47

  192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 256 TTL: 44

  192.168.1.2:47257 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 0 WINDOW: 3 TTL: 51

  192.168.1.2:47259 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 128 TTL: 37

  192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1446374175 SEQ_ACK: 1005817350 WINDOW: 256 TTL: 49

  192.168.1.2:47245 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 1 TTL: 37

  192.168.1.2:47245 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1088589856 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47246 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589856 SEQ_ACK: -102215723 WINDOW: 63 TTL: 40

  192.168.1.2:47246 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1088589855 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47247 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589855 SEQ_ACK: -102215723 WINDOW: 4 TTL: 49

  192.168.1.2:47248 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589854 SEQ_ACK: -102215723 WINDOW: 4 TTL: 50

  192.168.1.2:47249 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589853 SEQ_ACK: -102215723 WINDOW: 16 TTL: 50

  192.168.1.2:47249 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1088589852 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47250 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589852 SEQ_ACK: -102215723 WINDOW: 512 TTL: 45

  192.168.1.2:47253 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 4 TTL: 45

  192.168.1.2:47254 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 4 TTL: 38

  192.168.1.2:47256 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 512 TTL: 49

   192.168.1.2:47257 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: 0 WINDOW: 3 TTL: 53

  192.168.1.2:47259 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 128 TTL: 46

  192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 256 TTL: 53

  192.168.1.2:47261 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 1024 TTL: 38

  192.168.1.2:47253 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 4 TTL: 56

  192.168.1.2:47254 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 4 TTL: 49

  192.168.1.2:47256 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 512 TTL: 58

  192.168.1.2:47257 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: 0 WINDOW: 3 TTL: 43

  192.168.1.2:47259 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 128 TTL: 59

  192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 256 TTL: 37

  192.168.1.2:47253 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 4 TTL: 44

  192.168.1.2:47254 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 4 TTL: 44

  192.168.1.2:47254 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1088589856 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47256 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 512 TTL: 40

  192.168.1.2:47257 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: 0 WINDOW: 3 TTL: 38

  192.168.1.2:47259 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 128 TTL: 46

  192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 256 TTL: 43

  192.168.1.2:47253 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 4 TTL: 55

  192.168.1.2:47256 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 512 TTL: 52

  192.168.1.2:47256 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1088589856 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47257 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: 0 WINDOW: 3 TTL: 46

  192.168.1.2:47259 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 128 TTL: 38

  192.168.1.2:47260 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: -1088589857 SEQ_ACK: -102215723 WINDOW: 256 TTL: 48

  192.168.1.2:47195 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1348582489 SEQ_ACK: 0 WINDOW: 1024 TTL: 44

  192.168.1.2:47196 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1348582489 SEQ_ACK: 0 WINDOW: 4096 TTL: 51

  192.168.1.2:47197 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 1348582489 SEQ_ACK: 0 WINDOW: 1024 TTL: 44

  192.168.1.2:47198 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: 1348582489 SEQ_ACK: 0 WINDOW: 2048 TTL: 45

  192.168.1.2:47195 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1348582489 SEQ_ACK: 0 WINDOW: 4096 TTL: 43

  192.168.1.2:47196 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1348582489 SEQ_ACK: 0 WINDOW: 2048 TTL: 37

  192.168.1.2:47197 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 1348582489 SEQ_ACK: 0 WINDOW: 2048 TTL: 53

  192.168.1.2:47195 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1348582490 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47196 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1348582489 SEQ_ACK: 0 WINDOW: 2048 TTL: 41

  192.168.1.2:47197 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 1348582489 SEQ_ACK: 0 WINDOW: 2048 TTL: 37

  192.168.1.2:47189 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1348582490 SEQ_ACK: 0 WINDOW: 2048 TTL: 41

  192.168.1.2:47189 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1348582491 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47190 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1348582491 SEQ_ACK: 0 WINDOW: 2048 TTL: 45

  192.168.1.2:47191 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1348582492 SEQ_ACK: 0 WINDOW: 2048 TTL: 37

  192.168.1.2:47192 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1348582493 SEQ_ACK: 0 WINDOW: 4096 TTL: 59

  192.168.1.2:47193 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1348582494 SEQ_ACK: 0 WINDOW: 3072 TTL: 42

  192.168.1.2:47194 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1348582495 SEQ_ACK: 0 WINDOW: 2048 TTL: 41

  192.168.1.2:47194 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1348582496 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47195 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1565637659 SEQ_ACK: 0 WINDOW: 3072 TTL: 50

  192.168.1.2:47196 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1565637659 SEQ_ACK: 0 WINDOW: 2048 TTL: 37

  192.168.1.2:47197 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 1565637659 SEQ_ACK: 0 WINDOW: 2048 TTL: 45

  192.168.1.2:47198 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: 1565637659 SEQ_ACK: 0 WINDOW: 3072 TTL: 38

  192.168.1.2:47195 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1565637660 SEQ_ACK: 0 WINDOW: 0 TTL: 64

  192.168.1.2:47196 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1565637659 SEQ_ACK: 0 WINDOW: 4096 TTL: 47

  192.168.1.2:47197 -> 192.168.1.25:23 PSH(1) SYN(1) FIN(1) RST(0) URG(1) ACK(0) SEQ: 1565637659 SEQ_ACK: 0 WINDOW: 1024 TTL: 52

  192.168.1.2:47189 -> 192.168.1.25:23 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1565637660 SEQ_ACK: 0 WINDOW: 2048 TTL: 45

  192.168.1.2:47189 -> 192.168.1.25:23 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1565637661 SEQ_ACK: 0 WINDOW: 0 TTL: 64

Berdasarkan log analysis dapatkah anda membuat rule dlm apks utk detect dan  block terus nmap -O ni?? simple bah tu.

Other scanner mempunyai similar spt dibawah

 

###testing spoofing detection-(half scan)unicornscan -mT -r100 172.168.1.58:3128 -v -v

172.168.1.6:9087 -> 172.168.1.58:3128 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -545931887 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--

172.168.1.6:9087 -> 172.168.1.58:3128 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -545931886 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

#############################

####unicornscan -msf -r10 172.168.1.58,22,3128,8080 -v -v(connect scan)

172.168.1.6:24121 -> 172.168.1.58:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -348410152 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--

172.168.1.6:24121 -> 172.168.1.58:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -348410151 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

Lihat sedikit perbezaan berbanding dgn nmap iaitu tiada gabungan Rst dan ack

######

172.168.1.6:10371 -> 172.168.1.58:3128 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -417998750 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--

172.168.1.6:10371 -> 172.168.1.58:3128 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -417998749 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

######

172.168.1.6:28331 -> 172.168.1.58:8080 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -188899766 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--

172.168.1.6:28331 -> 172.168.1.58:8080 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -188899765 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <-

 

####mauzehan syn( http://www.perihel.at/sec/mz/)

Default syn  mengunakan mz   ade beberapa behavior tersendiri iaitu 

# mz eth0 -B 172.168.1.58 -c 1 -t tcp "dp=3128, flags=syn" -P "Testing bah..ok bah kalau kau"
172.168.1.6:0 -> 172.168.1.58:3128 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 42 SEQ_ACK: 42 WINDOW: 10000 TTL: 255  --> MATCHED RULE 1 <--

 SYN(1) + SEQ: 42 + SEQ_ACK: 42 + WINDOW:10000 + TTL: 255

172.168.1.6:0 -> 172.168.1.58:3128 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 43 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

em berbeza dgn nmap,unicornscan jika diteliti  iaitu  SEQ: 42 SEQ_ACK: 42 mempunyai value yg sama!!

#####Sinfp.pl (http://www.gomor.org/bin/view/Sinfp)

Lihat terdapat behavoir yg berbeza dgn nmap/unicornscan/mz  iaitu:

-Penghantaran SYN(1) diikuti dgn RST(1) sebanyak 2kali tetapi diakhirnye  SYN(1) + ACK(1)

##sinfp -i 192.168.1.170 -p 22
192.168.1.20:55838 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1926113345 SEQ_ACK: 116489103 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 <--
192.168.1.20:55838 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1926113346 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:55839 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1926113346 SEQ_ACK: 116489104 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 <--
192.168.1.20:55839 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1926113347 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:55840 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(1) SEQ: 1926113347 SEQ_ACK: 116489105 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 

<-#sinfp -i 192.168.1.170 -p 10000

192.168.1.20:14079 -> 192.168.1.170:10000 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1522378774 SEQ_ACK: -2095036609 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 <--
192.168.1.20:14079 -> 192.168.1.170:10000 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1522378775 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:14080 -> 192.168.1.170:10000 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1522378775 SEQ_ACK: -2095036608 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 <--
192.168.1.20:14080 -> 192.168.1.170:10000 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1522378776 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:14081 -> 192.168.1.170:10000 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(1) SEQ: 1522378776 SEQ_ACK: -2095036607 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 <--

-Em nampaknye  SYN(1) dihantar 3 kali dgn Src Port dan SEQ number yg meningkat sbyk +1

#sinfp -d eth0 -i 192.168.1.170 -p 21 -3 -v(port 21 closed)
192.168.1.20:1369 -> 192.168.1.170:21 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1760859936 SEQ_ACK: -193000831 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 <--
192.168.1.20:1370 -> 192.168.1.170:21 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1760859937 SEQ_ACK: -193000830 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 <--
192.168.1.20:1371 -> 192.168.1.170:21 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(1) SEQ: 1760859938 SEQ_ACK: -193000829 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 <-#####

#sinfp -d eth0 -i 192.168.1.170 -p 13 -3 -v(port 13 closed)

192.168.1.20:1034 -> 192.168.1.170:13 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1160376935 SEQ_ACK: -2021969402 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 <--
192.168.1.20:1035 -> 192.168.1.170:13 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1160376934 SEQ_ACK: -2021969401 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 <--
192.168.1.20:1036 -> 192.168.1.170:13 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(1) SEQ: -1160376933 SEQ_ACK: -2021969400 WINDOW: 5840 TTL: 255  --> MATCHED RULE 1 <--

Acunetix Port Scanner

192.168.1.100:2131 -> 192.168.1.30:80 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -435906455 SEQ_ACK: 0 WINDOW: 65535 TTL: 128  --> MATCHED RULE 1 <--

192.168.1.100:2131 -> 192.168.1.30:80 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -435906454 SEQ_ACK: 2145461713 WINDOW: 65535 TTL: 128  --> MATCHED RULE 1 <--

192.168.1.100:2131 -> 192.168.1.30:80 PSH(1) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -435906454 SEQ_ACK: 2145461713 WINDOW: 65535 TTL: 128  --> MATCHED RULE 1 <--

192.168.1.100:2131 -> 192.168.1.30:80 PSH(0) SYN(0) FIN(0) RST(0) URG(0) ACK(1) SEQ: -435906026 SEQ_ACK: 2145461854 WINDOW: 65395 TTL: 128  --> MATCHED RULE 1 <--

192.168.1.100:2131 -> 192.168.1.30:80 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(1) SEQ: -435906026 SEQ_ACK: 2145461854 WINDOW: 0 TTL: 128  --> MATCHED RULE 1 <--

Tetap mengunakan RST(1) dan ACK(1) utk closed connection.

Teknik utk kenalpasti spoof port scanner:

Tanpa spoof  dgn unicornscan

####unicornscan -msf -r10 172.168.1.58,22,3128,8080 -v -v(connect scan)
172.168.1.6:24121 -> 172.168.1.58:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -348410152 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--
172.168.1.6:24121 -> 172.168.1.58:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -348410151 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
######
172.168.1.6:10371 -> 172.168.1.58:3128 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -417998750 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--
172.168.1.6:10371 -> 172.168.1.58:3128 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -417998749 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
######
172.168.1.6:28331 -> 172.168.1.58:8080 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -188899766 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--
172.168.1.6:28331 -> 172.168.1.58:8080 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -188899765 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <-

Dengan  spoof 

####unicornscan -msf -r10 172.168.1.58,22,3128,8080 -v -v -s 172.168.1.90
#####-
172.168.1.90:7480 -> 172.168.1.58:8080 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1521160537 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--
172.168.1.90:7480 -> 172.168.1.58:8080 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1521160538 SEQ_ACK: 1521160538 WINDOW: 0 TTL: 128  --> MATCHED RULE 1 <--
#############
172.168.1.90:18639 -> 172.168.1.58:3128 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1224950958 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--
172.168.1.90:18639 -> 172.168.1.58:3128 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1224950959 SEQ_ACK: 1224950959 WINDOW: 0 TTL: 128  --> MATCHED RULE 1 <--
############
172.168.1.90:17041 -> 172.168.1.58:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1160597232 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--
172.168.1.90:17041 -> 172.168.1.58:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1160597233 SEQ_ACK: 1160597233 WINDOW: 0 TTL: 128  --> MATCHED RULE 1 <--
###

Perhatikan gambarajah tanpa spoof  dan dengan spoof kesimpulan didapati ade beberapa perbezaan ketara iaitu:

Tanpa spoof SYN(1) + SEQ_ACK: 0 WINDOW: 0 TTL: 64     kpd    Dengan spoof  RST(1)  + SEQ_ACK: 1521160538 WINDOW: 0 TTL: 128

Jadi kita boleh setkan rule di apks dari perubahan  SYN(1) + TTL:64  dan  RST(1) + TTL :128

                                                                  atau  SIP  +  SYN(1) + TTL:64  dan RST(1) + TTL :128


Tanpa Spoof dgn Mauzehan  

#mz eth0 -B 172.168.1.58 -c 1 -t tcp "dp=3128, flags=syn" -P "power syn beb"

172.168.1.6:0 -> 172.168.1.58:3128 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 42 SEQ_ACK: 42 WINDOW: 10000 TTL: 255  --> MATCHED RULE 1 <--
172.168.1.6:0 -> 172.168.1.58:3128 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 43 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

Dengan Spoof dgn Mauzehan  

#mz eth0 -A 172.168.1.90 -B 172.168.1.58 -c 1 -t tcp "dp=3128, flags=syn" -P "power syn beb"

172.168.1.90:0 -> 172.168.1.58:3128 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 42 SEQ_ACK: 42 WINDOW: 10000 TTL: 255  --> MATCHED RULE 1 <--
172.168.1.90:0 -> 172.168.1.58:3128 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 43 SEQ_ACK: 43 WINDOW: 0 TTL: 128  --> MATCHED RULE 1 <--

Rule bg apks SYN(1) + TTL:255  dan  RST(1) + TTL :128

Kelebihan  unicornscan  dgn option -W  OS-FINGERPRINTING

#unicornscan -i eth0 -r10 -mT 192.168.1.170:10000 -Iv -W0  (cisco)
192.168.1.20:6524 -> 192.168.1.170:10000 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -1520202282 SEQ_ACK: 0 WINDOW: 4128 TTL: 255  --> MATCHED RULE 1 <--
192.168.1.20:6524 -> 192.168.1.170:10000 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -1520202281 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

#pc 192.168.1.20 dr  p0f -S -p -x -t  

<Sun Jun  6 03:24:02 2010> 192.168.1.20:6524 - UNKNOWN [4128:255:0:44:M1460:.:?:?]
  -> 192.168.1.170:10000 (link: ethernet/modem)
  [00] 45 00 00 2c 4b 01 00 00 ff 06 ec bb c0 a8 01 14  | E..,K...........
  [10] c0 a8 01 aa 19 7c 27 10 a5 63 8d d6 00 00 00 00  | .....|'..c......
  [20] 60 02 10 20 90 31 00 00 02 04 05 b4              | `.. .1......

#unicornscan -i eth0 -r10 -mT 192.168.1.170:22,10000 -Iv -W1 (OpenBsd)

192.168.1.20:23079 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -171650882 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:23079 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -171650881 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:18770 -> 192.168.1.170:10000 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -758987829 SEQ_ACK: 0 WINDOW: 16384 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:18770 -> 192.168.1.170:10000 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -758987828 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

#pc 192.168.1.20 dr  p0f -S -p -x -t

  <Sun Jun  6 03:27:51 2010> 192.168.1.20:23079 - OpenBSD 3.0-3.9 (up: 5721 hrs)
  Signature: [16384:64:1:64:M1436,N,N,S,N,W0,N,N,T:.]
  -> 192.168.1.170:22 (distance 0, link: IPSec/GRE)
  [00] 45 00 00 40 c7 d5 40 00 40 06 ee d3 c0 a8 01 14  | E..@..@.@.......
  [10] c0 a8 01 aa 5a 27 00 16 f5 c4 d0 be 00 00 00 00  | ....Z'..........
  [20] b0 02 40 00 80 ce 00 00 02 04 05 9c 01 01 04 02  | ..@.............
  [30] 01 03 03 00 01 01 08 0a 7a c6 55 b4 00 00 00 00  | ........z.U.....

#unicornscan -i eth0 -r10 -mT 192.168.1.170:22,10000 -Iv -W2  (window XP)

192.168.1.20:25178 -> 192.168.1.170:10000 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 472878678 SEQ_ACK: 0 WINDOW: 32767 TTL: 128  --> MATCHED RULE 1 <--
192.168.1.20:25178 -> 192.168.1.170:10000 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 472878679 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:28488 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 992576324 SEQ_ACK: 0 WINDOW: 32767 TTL: 128  --> MATCHED RULE 1 <--
192.168.1.20:28488 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 992576325 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

#pc 192.168.1.20 dr  p0f -S -p -x -t

 <Sun Jun  6 03:29:34 2010> 192.168.1.20:25178 - Windows XP SP1+, 2000 SP4 (3)
  Signature: [32767:128:1:48:M1460,N,N,S:.]
  -> 192.168.1.170:10000 (distance 0, link: ethernet/modem)
  [00] 45 00 00 30 18 ce 40 00 80 06 5d eb c0 a8 01 14  | E..0..@...].....
  [10] c0 a8 01 aa 62 5a 27 10 1c 2f 8e 56 00 00 00 00  | ....bZ'../.V....
  [20] 70 02 7f ff 4b 21 00 00 02 04 05 b4 01 01 04 02  | p...K!..........

unicornscan -i eth0 -r10 -mT 192.168.1.170:22,10000 -Iv -W3   (Unknown)

192.168.1.20:59484 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354338123 SEQ_ACK: 0 WINDOW: 12345 TTL: 255  --> MATCHED RULE 1 <--
192.168.1.20:59484 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354338122 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:11040 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354289207 SEQ_ACK: 0 WINDOW: 12345 TTL: --> MATCHED RULE 1 <--
192.168.1.20:11040 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354289206 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:32613 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354308724 SEQ_ACK: 0 WINDOW: 12345 TTL: 1  --> MATCHED RULE 1 <--
192.168.1.20:32613 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354308723 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:47069 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354327244 SEQ_ACK: 0 WINDOW: 12345 TTL: 2  --> MATCHED RULE 1 <--
192.168.1.20:47069 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354327243 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:54061 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354352700 SEQ_ACK: 0 WINDOW: 12345 TTL: 3  --> MATCHED RULE 1 <--
192.168.1.20:54061 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354352699 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:15221 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354293348 SEQ_ACK: 0 WINDOW: 12345 TTL: 4  --> MATCHED RULE 1 <--
192.168.1.20:15221 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354293347 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:6652 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354301163 SEQ_ACK: 0 WINDOW: 12345 TTL: 5  --> MATCHED RULE 1 <--
192.168.1.20:6652 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354301162 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:42387 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354322566 SEQ_ACK: 0 WINDOW: 12345 TTL: 6  --> MATCHED RULE 1 <--
192.168.1.20:42387 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354322565 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:40322 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354332821 SEQ_ACK: 0 WINDOW: 12345 TTL: 7  --> MATCHED RULE 1 <--
192.168.1.20:40322 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354332820 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:20720 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354319847 SEQ_ACK: 0 WINDOW: 12345 TTL: 8  --> MATCHED RULE 1 <--
192.168.1.20:20720 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354319846 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:6036 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354302595 SEQ_ACK: 0 WINDOW: 12345 TTL: 9  --> MATCHED RULE 1 <--
192.168.1.20:6036 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354302594 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:39209 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354333760 SEQ_ACK: 0 WINDOW: 12345 TTL: 10  --> MATCHED RULE 1 <--
192.168.1.20:39209 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354333759 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:65375 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354341450 SEQ_ACK: 0 WINDOW: 12345 TTL: 11  --> MATCHED RULE 1 <--
192.168.1.20:65375 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354341449 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:49783 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354348898 SEQ_ACK: 0 WINDOW: 12345 TTL: 12  --> MATCHED RULE 1 <--
192.168.1.20:49783 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354348897 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:36965 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354336116 SEQ_ACK: 0 WINDOW: 12345 TTL: 13  --> MATCHED RULE 1 <--
192.168.1.20:36965 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354336115 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:25071 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354307322 SEQ_ACK: 0 WINDOW: 12345 TTL: 14  --> MATCHED RULE 1 <--
192.168.1.20:25071 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: -354307321 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:7239 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: -354300242 SEQ_ACK: 0 WINDOW: 12345 TTL: 15  --> MATCHED RULE 1 <--

#pc 192.168.1.20 dr  p0f -S -p -x -t

<Sun Jun  6 03:30:58 2010> 192.168.1.20:59484 - UNKNOWN [*(12345):255:0:40:.:.:?:?]
  -> 192.168.1.170:22 (link: unspecified)
  [00] 45 00 00 28 d0 8a 00 00 ff 06 67 36 c0 a8 01 14  | E..(......g6....
  [10] c0 a8 01 aa e8 5c 00 16 ea e1 3a b5 00 00 00 00  | .....\....:.....
  [20] 50 02 30 39 ed 90 00 00                          | P.09....

#unicornscan -i eth0 -r10 -mT 192.168.1.170:22,10000 -Iv -W4   (FreeBSD)

192.168.1.20:13764 -> 192.168.1.170:10000 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1431117817 SEQ_ACK: 0 WINDOW: 65535 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:13764 -> 192.168.1.170:10000 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1431117818 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:18186 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1917545783 SEQ_ACK: 0 WINDOW: 65535 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:18186 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1917545784 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

#pc 192.168.1.20 dr  p0f -S -p -x -t

<Sun Jun  6 03:34:17 2010> 192.168.1.20:13764 - FreeBSD 4.7-5.2 (or MacOS X 10.2-10.4) (2) [high throughput] (up: 4942 hrs)
  Signature: [65535:64:1:60:M1460,N,W1,N,N,T:.]
  -> 192.168.1.170:10000 (distance 0, link: ethernet/modem)
  [00] 45 10 00 3c e4 48 40 00 40 06 d2 54 c0 a8 01 14  | E..<.H@.@..T....
  [10] c0 a8 01 aa 35 c4 27 10 55 4d 1f f9 00 00 00 00  | ....5.'.UM......
  [20] a0 02 ff ff c0 95 00 00 02 04 05 b4 01 03 03 01  | ................
  [30] 01 01 08 0a 6a 0b ca 3c 00 00 00 00              | ....j..<....

#unicornscan -i eth0 -r10 -mT 192.168.1.170:22,10000 -Iv -W5   (Nmap)

192.168.1.20:13407 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1084788505 SEQ_ACK: 0 WINDOW: 3072 TTL: 61  --> MATCHED RULE 1 <--
192.168.1.20:13407 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1084788506 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:46577 -> 192.168.1.170:10000 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1739460279 SEQ_ACK: 0 WINDOW: 3072 TTL: 61  --> MATCHED RULE 1 <--
192.168.1.20:46577 -> 192.168.1.170:10000 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1739460280 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

#pc 192.168.1.20 dr  p0f -S -p -x -t

<Sun Jun  6 03:35:23 2010> 192.168.1.20:13407 - NMAP OS detection probe (3) *
  Signature: [3072:61:0:60:W10,N,M265,T,E:P]
  [00] 45 00 00 3c 72 b2 00 00 3d 06 86 fb c0 a8 01 14  | E..<r...=.......
  [10] c0 a8 01 aa 34 5f 00 16 40 a8 8f 19 00 00 00 00  | ....4_..@.......
  [20] a0 02 0c 00 80 88 00 00 03 03 0a 01 02 04 01 09  | ................
  [30] 08 0a ad e3 85 01 00 00 00 00 00 00              | ............

#unicornscan -i eth0 -r10 -mT 192.168.1.170:22,10000 -Iv -W6   (Linux)

192.168.1.20:6308 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1989159346 SEQ_ACK: 0 WINDOW: 5744 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:6308 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1989159347 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:44944 -> 192.168.1.170:10000 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1368825478 SEQ_ACK: 0 WINDOW: 5744 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:44944 -> 192.168.1.170:10000 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1368825479 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

#pc 192.168.1.20 dr  p0f -S -p -x -t

<Sun Jun  6 03:36:32 2010> 192.168.1.20:6308 - Linux 2.4-2.6 (up: 2859 hrs)
  Signature: [S4:64:1:60:M1436,S,T,N,W0:.]
  -> 192.168.1.170:22 (distance 0, link: IPSec/GRE)
  [00] 45 00 00 3c 11 70 40 00 40 06 a5 3d c0 a8 01 14  | E..<.p@.@..=....
  [10] c0 a8 01 aa 18 a4 00 16 76 90 29 b2 00 00 00 00  | ........v.).....
  [20] a0 02 16 70 4a 0f 00 00 02 04 05 9c 04 02 08 0a  | ...pJ...........
  [30] 3d 5a 6d 3a 00 00 00 00 01 03 03 00              | =Zm:........

#unicornscan -i eth0 -r10 -mT 192.168.1.170:22,10000 -Iv -W7   (strangetcp)

192.168.1.20:55624 -> 192.168.1.170:22 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1274790842 SEQ_ACK: 0 WINDOW: 11744 TTL: 203  --> MATCHED RULE 1 <--
192.168.1.20:55624 -> 192.168.1.170:22 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1274790843 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--
192.168.1.20:5838 -> 192.168.1.170:10000 PSH(0) SYN(1) FIN(0) RST(0) URG(0) ACK(0) SEQ: 1828523068 SEQ_ACK: 0 WINDOW: 11744 TTL: 203  --> MATCHED RULE 1 <--
192.168.1.20:5838 -> 192.168.1.170:10000 PSH(0) SYN(0) FIN(0) RST(1) URG(0) ACK(0) SEQ: 1828523069 SEQ_ACK: 0 WINDOW: 0 TTL: 64  --> MATCHED RULE 1 <--

#pc 192.168.1.20 dr  p0f -S -p -x -t

<Sun Jun  6 03:37:53 2010> 192.168.1.20:55624 - UNKNOWN [11744:203:1:64:M1024,S,?19:.:?:?]
  -> 192.168.1.170:22 (link: unknown-1064)
  [00] 45 00 00 40 31 e7 40 00 cb 06 f9 c1 c0 a8 01 14  | E..@1.@.........
  [10] c0 a8 01 aa d9 48 00 16 4b fb c3 ba 00 00 00 00  | .....H..K.......
  [20] b0 02 2d e0 bd e9 00 00 02 04 04 00 04 02 13 12  | ..-.............
  [30] e8 86 c3 fb 48 5e bd 67 26 1a c4 b4 29 34 13 79  | ....H^.g&...)4.y

 IDEA 1 apks digunakan spt authetication 3 handshake 


Pemahaman yg mudah spt berikut:

Jika src ip adalah open port


Jika Src ip dgn Closed Port


 IDEA 2 apks digunakan sbg honeynet dgn pelbagai rule yg berbeza 

ape yg perlu dilakukan ialah spt berikut

Penuhi ip space sbg contoh saya ambil 4 ip shj

#ifconfig eth0:0 10.10.1.166 netmask 255.255.255.0 up

#apks.pl -i eth0:0 -c apks.166

#ifconfig eth0:1 10.10.1.167 netmask 255.255.255.0 up

#apks.pl -i eth0:1 -c apks.167

#ifconfig eth0:2 10.10.1.168 netmask 255.255.255.0 up

#apks.pl -i eth0:2 -c apks.168

#ifconfig eth0:3 10.10.1.169 netmask 255.255.255.0 up

#apks.pl -i eth0:3 -c apks.169

jadi setiap ip akan disetkan apks configurasi yg berlainan...

yg lain bergantung kreativiti masing 2 utk dnat kan ke Honeynet server!!

http://protocolunique.com