During service discovery, I occasionally run into hosts that will report every single port as open. Obviously this is because something in front or on the target host is replying with SYN, ACKs for every SYN sent (in the case of a typical SYN scan).
This behavior, from my observations, is indicative of a firewall. The only firewall I have ever personally configured that replicates this behavior is netfliter/iptables with the xtables-addons, specifically the TARPIT target. The TARPIT target does more than just make every port appear to be open, but for this write-up that's all we are concerned about.
I have configured a host-based firewall on a linux host to show this. First, let's look at what happens when we perform SYN scan using Nmap.
We observe the expected behavior, Nmap shows that every port is open. Using Wireshark, let's look at the packet capture for some more detail.
We see that that server is sending a SYN, ACK for every single port that is sent a SYN. This makes detecting legitimate available services nearly impossible.
However, I recently discovered a way to detect a legitimate service by looking for the Maximum Segment Size (MSS) in the TCP options. According to my observations, this option will never be set in the fake replies, but will mostly always be set in a legitimate one. To show this, let's look at a SYN, ACK reply from a port that I know is open.
We see that the MSS value is set to 1460 bytes. Now, a look at a fake reply.
No MSS value set.
There you have it: To detect a legitimate service, we can look for the MSS option in the reply to our SYN. I created a POC (mss_scan.py) that you can download here. Here is a screenshot using it against a Windows host on an internal network that was reporting every port as open.
In this instance, the host was behind a Juniper router. Further research has shown that this method will not work against all firewalls that proxy TCP connections. I’ll be releasing a tool that will work against all of these devices soon.