Skip to main content

Port Scanning Through Tarpits

April 24, 2012

During service discovery, I occasionally run into hosts that will report every single port as open. Obviously this is because something in front or on the target host is replying with SYN, ACKs for every SYN sent (in the case of a typical SYN scan).

This behavior, from my observations, is indicative of a firewall. The only firewall I have ever personally configured that replicates this behavior is netfliter/iptables with the xtables-addons, specifically the TARPIT target. The TARPIT target does more than just make every port appear to be open, but for this write-up that's all we are concerned about.

I have configured a host-based firewall on a linux host to show this. First, let's look at what happens when we perform SYN scan using Nmap.

We observe the expected behavior, Nmap shows that every port is open. Using Wireshark, let's look at the packet capture for some more detail.


 

We see that that server is sending a SYN, ACK for every single port that is sent a SYN. This makes detecting legitimate available services nearly impossible.

However, I recently discovered a way to detect a legitimate service by looking for the Maximum Segment Size (MSS) in the TCP options. According to my observations, this option will never be set in the fake replies, but will mostly always be set in a legitimate one. To show this, let's look at a SYN, ACK reply from a port that I know is open.

We see that the MSS value is set to 1460 bytes. Now, a look at a fake reply.

No MSS value set.

There you have it: To detect a legitimate service, we can look for the MSS option in the reply to our SYN. I created a POC (mss_scan.py). Here is a screenshot using it against a Windows host on an internal network that was reporting every port as open.

In this instance, the host was behind a Juniper router. Further research has shown that this method will not work against all firewalls that proxy TCP connections. I’ll be releasing a tool that will work against all of these devices soon.

Related Blogs

May 10, 2018

Observations on Smoke Tests – Part 3

While attending one of our technology partner’s security training courses, the instructor presented on their product’s various features and capabiliti...

See Details

April 18, 2018

Testing Password Reset Token Predictability with the Reset-A-Tron Burp Extension

Most web applications provide a 'forgot my password' feature where a recovery or reset token is delivered to the associated account email address. Usu...

See Details

April 13, 2018

Observations on Smoke Tests – Part 2

There are a variety of scanning tools in the market today, from commercial to open source. Some are intended only for identifying a particular vulnera...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.