SYNSCAN(8) BSD System Manager's Manual SYNSCAN(8) NAME synscan - a TCP/IP stack OS fingerprinting and network testing tool SYNOPSIS synscan [-DhHlTv] [-a name] [-c file] [-f config] [-F config] [-g group] [-i intf] [-s srcip] [-t timeout] [-w waitms] host [port] DESCRIPTION synscan is a TCP/IP stack OS fingerprinting and network testing tool used to identify the TCP/IP behavioral characteristics of a remote open TCP port. The operation of synscan is divided into three stages: 1) opening a series of TCP sessions with a remote TCP port and possibly sending or receiving data from the host; 2), analyzing the set of results from all sessions conducted; and 3) determining if the set of TCP characteristics matches any fingerprints known by synscan. In the first stage, a session configuration file is read a parsed con- taining directives on how synscan should communicate with the host. Addi- tionally, a service configuration file is also read and parsed containing directives on what payloads it should send to and receive from the open port. After parsing these files, synscan starts by sending an initial TCP SYN packet for each configured session it is told to run. Depending on the response from the host, synscan proceeds to process the connection as directed. synscan will continue to poll for packets until all ses- sions reach a closed state, (or either a SIGINT is received or a timeout occurs), at which point it will enter stage two. In the second stage, (once synscan finishes processing all sessions), it passes the results of each session to each analysis backend, called plugins. Each plugin is designed to look for and determine a different TCP behavioral characteristic. These results are the printed to stdout. In the third stage, synscan attempts to match this set of characteristics against the fingerprints loaded from the fingerprint configuration file. The fingerprint with the most matching characteristics is printed to std- out. OOPPTTIIOONNSS -a name Tells synscan to only try the analysis plugin matching name. -c file Tells synscan to use the configuration file file for initializing the service configurations. The default file synscan uses is $(DATADIR)/synscan.services. -D Increases the debug level by one. Increasing this more than three times causes a large amount of debugging information to be printed. It may or may not be useful in learning how synscan works. Also see the -l flag. -f file Tells synscan to use the configuration file file for initializing the session configurations. The default file synscan uses is $(DATADIR)/synscan.conf. -F file Tells synscan to use the configuration file file for initializing the OS fingerprints. The default file synscan uses is $(DATADIR)/synscan.fingerprints. -g group If a group of sessions is labeled in the session configuration file, then synscan will only try to run those sessions within the group definition named group. The default behavior is to run all sessions. -h Prints helpful usage information. -H Causes each packet sent and received by synscan to be printed out in a hexidecimal fashion. This option is mainly useful for debug- ging. -i intf Manually forces synscan to use the interface intf instead of determining the interface via the routing and arp tables. -l Logs all debugging information to the file $(IP).syn- scan.$(PID).log, where $(IP) is the dotted-quad address of the host, and the $(PID) is the process ID of the running process. -s session Tells synscan to only run the session named session. -t timeout Sets the timeout value to timeout seconds. The default value used is 180 seconds. Longer timeouts must be used to test successive RTO values of a host. -T Causes every packet sent or received by synscan to be printed out in a tcpdump(1) -style fashion. -v Increases the verbosity level by one. This is different from the --DD option in that is gives status information about the progess and operations of synscan. -w millisecs Tells synscan to wait millisecs milliseconds between opening suc- cessive connections to the host. synscan can cause machines with rate-limiting support to send resets from an open port. The default value is 50ms, which most hosts seems to be able to han- dle. Sessions that have frag or tcp fields will be skipped if synscan is told to connect to a port for which there is no service defi- nition in the services file. Timestamp options can have a zero or non-zero numerical value. a non-zero value will always be replaced with the either the cur- rent tsval incrementor or the tsrecent stamp from the server (for the tsecho field). CONFIGURATION synscan uses two primary configuration files: synscan.conf(5) is used to describe the session and group configurations, and synscan.services is used to describe the service configurations. Please refer to those man- ual pages for a complete description of the configuration formats. RETURN VALUES synscan exits with code 0 on success, or -1 if an error occured. RELEVANT SYSCTLS It may be useful to adjust or modify sysctl variables used by the operat- ing system to try to prevent detection. This list is incomplete and highly dependant on the OS. FreeBSD: net.inet.tcp.{rfc1323, rfc1644, mssdflt, keepidle, keepintvl, sendspace, delayed_ack, slowstart_flightsize, local_slowstart_flightsize, newreno, isn_reseed_interval, always_keepalive}, net.inet.ip.ttl. NetBSD: net.inet.tcp.{ack_on_push,compat_42, cwm, cwm_burstsize, init_win, init_win_local, keepcnt, keepidle, keepintvl, mss_ifmtu, mssd- flt, recvspace, rfc1323, rstppslimit, sack, sendspace, slowhz, time- stamps, win_scale}, net.inet.ip.ttl. Linux: net.ipv4.{tcp_adv_win_scale, tcp_dsack, tcp_ecn, tcp_reordering, tcp_fack, tcp_rfc1337, tcp_stdurg, tcp_fin_timeout, tcp_retries2, tcp_retries1, tcp_keepalive_intvl, tcp_keepalive_probes, tcp_keepalive_time,tcp_synack_retries, tcp_syn_retries, tcp_retrans_col- lapse, tcp_sack, tcp_window_scaling, tcp_timestamps, ip_default_ttl}. RRFFCCSS RFC793 Transmission Control Protocol. J. Postel, Sept 1981. RFC1122 Requirements for Internet Hosts -- Communication Layers. R. Braden, Oct 1989. RFC2001 TCP Slow Start, Congestion Avoidance, Fast Retransmit, and Fast Recovery Algorithm. W. Stevens, Jan 1997. RFC2018 TCP Selective Acknowledgment Options. M. Mathis, J. Mahdavi, S. Floyd, Oct 1996. RFC2414 Increasing TCP's Initial Window. M. Allman, Sept 1998. RFC2525 Known TCP implementation problems. V. Paxson, M. Allman, S. Dawson, W. Fenner, J. Griner, I. Heavens, K. Lahey, J. Semke, B. Volz Mar 1999. SEE ALSO synscan.conf(5), synscan.services(5), pcap(3), dnet(3), event(3). and sysctl(8), BUGS Because synscan is dependant on pcap(3) dnet(3) and event(3) it will only work properly on platforms which have full support for those libraries. COPYING synscan is copyrighted under the BSD license. See the LICENSE file that came with the distribution for the text of that license. AUTHORS Greg Taleck BSD November 18, 2003 BSD