Nmap Announce mailing list archives
Nmap bug or am I missing something.
From: "Frank W. Keeney" <FKeeney () hsa com>
Date: Wed, 10 Mar 1999 17:00:35 -0800
I've been messing around with nmap (on Linux) in my lab and I'm able to port scan a Checkpoint Firewall 1 (NT Server sp4, fwt 3.0b) without being logged. Unfortunately nmap "incorrectly" reports all the scanned ports open. I only know which ports are open by using tcpdump or a sniffer. Here are my command lines: Nmap: x.x.x.x is the attacked host. nmap -sF -f -n -P0 -vv -p 20-25,250-270,5900 x.x.x.x Scans -sF, -sX, -sN in combination with -f are not logged on fw1. Scans with -sS -f are logged. The program says that -sN is only for UNIX but it works great here. I run tcpdump -n -vv src host x.x.x.x on a third host. I run the above and immediately tcpdump reports: x.x.x.x.5900 > (nmap host).xxxx ack (abbreviated) x.x.x.x.256 > (nmap host).xxxx ack x.x.x.x.257 > (nmap host).xxxx ack x.x.x.x.258 > (nmap host).xxxx ack x.x.x.x.259 > (nmap host).xxxx ack On the firewall ports 256-259 and 5900 are open. The response in tcpdump is 100%! Sniffer reports RST,ACK pair set in response. After 30 seconds or so tcpdump receives an ICMP type 11 code 1 packet (Fragment Reassembly Time Exceeded) from the firewall for each port scanned. NOTHING is logged on the firewall! I have a Raptor, Sidwinder, Gauntlet and Firewall 1 on Solaris that I will try tomorrow. I'll also try this against a Cisco extended access-list and Linux ipfwadm. I'll post my results. Thank you Fydor for the great program. This is fantastic! +++++++++++++++++++++++++++++++++++++++++++++++++++++++ Frank Keeney, Network Services, Home Savings of America +1 626-814-5080 mailto:fkeeney () hsa com +++++++++++++++++++++++++++++++++++++++++++++++++++++++
Current thread:
- Nmap bug or am I missing something. Frank W. Keeney (Mar 11)
- Re: Nmap bug or am I missing something. Lamont Granquist (Mar 13)
- Re: Nmap bug or am I missing something. Olaf Selke (Mar 14)
- Small Comparison: Nmap, Queso OS Detection Hans Zoebelein (Mar 15)