Security Basics mailing list archives
Re: Nmap/netwag problem.
From: Fyodor <fyodor () insecure org>
Date: Fri, 12 Aug 2005 15:33:36 -0700
On Thu, Aug 11, 2005 at 04:07:41PM +0100, Paul J Docherty wrote:
the question, which was I think, "which port scanner is giving the correct results?" As many others have elegantly answered use a packet sniffer and look at the raw data to see what's going on.
Many people have given that answer, and it is a good one. But people should also be aware of Nmap's --packet_trace feature, which is a very easy way to see what packets Nmap is sending and receiving. Let's look at a quick example: # nmap -P0 -p80,99,113 scanme.nmap.org Starting nmap 3.84ALPHA1 ( http://www.insecure.org/nmap/ ) at 2005-08-12 15:18 PDT Interesting ports on scanme.nmap.org (205.217.153.62): PORT STATE SERVICE 80/tcp open http 99/tcp filtered metagram 113/tcp closed auth Nmap finished: 1 IP address (1 host up) scanned in 1.272 seconds Here we do a SYN scan (with no initial ping) against three ports, and Nmap classifies them into 3 different states. As posters to this thread have explained, you sometimes want to know exactly _why_ Nmap has classified them as it has. To answer this question, simply add --packet_trace to the command above: # nmap -P0 --packet_trace -p80,99,113 scanme.nmap.org Starting nmap 3.84ALPHA1 ( http://www.insecure.org/nmap/ ) at 2005-08-12 15:19 PDT SENT (0.0120s) TCP 69.232.198.12:54012 > 205.217.153.62:113 S ttl=41 id=51165 iplen=40 seq=2511044273 win=2048 SENT (0.0120s) TCP 69.232.198.12:54012 > 205.217.153.62:80 S ttl=48 id=31631 iplen=40 seq=2511044273 win=1024 SENT (0.0160s) TCP 69.232.198.12:54012 > 205.217.153.62:99 S ttl=45 id=62221 iplen=40 seq=2511044273 win=2048 RCVD (0.0250s) TCP 205.217.153.62:113 > 69.232.198.12:54012 RA ttl=245 id=0 iplen=40 seq=0 win=0 ack=2511044274 RCVD (0.0260s) TCP 205.217.153.62:80 > 69.232.198.12:54012 SA ttl=54 id=0 iplen=44 seq=536353456 win=5840 ack=2511044274 SENT (1.1190s) TCP 69.232.198.12:54013 > 205.217.153.62:99 S ttl=48 id=24051 iplen=40 seq=2510978736 win=1024 Interesting ports on scanme.nmap.org (205.217.153.62): PORT STATE SERVICE 80/tcp open http 99/tcp filtered metagram 113/tcp closed auth Nmap finished: 1 IP address (1 host up) scanned in 1.232 seconds As you can see above, Nmap starts by sending a SYN probe back to each of the three ports. Port 113 replies with the RA (RST/ACK) flags and thus is listed by Nmap as closed. Port 80 returns SA (SYN/ACK) and so is listed as open. Port 99 does not reply, so Nmap retransmits after 1.1 seconds. There is still no reply, so Nmap lists the port as filtered. I hope this helps. 3.84ALPHA1 has not been formally released, but it offers many improvements from 3.81 and you can snag a copy from http://seclists.org/lists/nmap-dev/2005/Jul-Sep/0041.html . You don't ned this for --packet_trace though, as it has been around (and steadily improving) since 2002. Cheers, Fyodor
Current thread:
- Re: Nmap/netwag problem. Fyodor (Aug 16)
- <Possible follow-ups>
- RE: Nmap/netwag problem. Paul J Docherty (Aug 16)