Nmap bug or am I missing something.

["Frank W. Keeney" <FKeeney () hsa com>]

I've been messing around with nmap (on Linux) in my lab and I'm able to
port scan a Checkpoint Firewall 1 (NT Server sp4, fwt 3.0b) without
being logged. Unfortunately nmap "incorrectly" reports all the scanned
ports open. I only know which ports are open by using tcpdump or a
sniffer. 

Here are my command lines:

Nmap:

x.x.x.x is the attacked host.

nmap -sF -f -n -P0 -vv -p 20-25,250-270,5900 x.x.x.x

Scans -sF, -sX, -sN in combination with -f are not logged on fw1. Scans
with -sS -f are logged.

The program says that -sN is only for UNIX but it works great here.

I run tcpdump -n -vv src host x.x.x.x on a third host.

I run the above and immediately tcpdump reports:

x.x.x.x.5900 > (nmap host).xxxx ack    (abbreviated)
x.x.x.x.256 > (nmap host).xxxx ack
x.x.x.x.257 > (nmap host).xxxx ack
x.x.x.x.258 > (nmap host).xxxx ack
x.x.x.x.259 > (nmap host).xxxx ack

On the firewall ports 256-259 and 5900 are open. The response in tcpdump
is 100%!

Sniffer reports RST,ACK pair set in response.

After 30 seconds or so tcpdump receives an ICMP type 11 code 1 packet
(Fragment Reassembly Time Exceeded) from the firewall for each port
scanned.

NOTHING is logged on the firewall!

I have a Raptor, Sidwinder, Gauntlet and Firewall 1 on Solaris that I
will try tomorrow. I'll also try this against a Cisco extended
access-list and Linux ipfwadm. I'll post my results.

Thank you Fydor for the great program. This is fantastic!


+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Frank Keeney, Network Services, Home Savings of America
+1 626-814-5080 mailto:fkeeney () hsa com
+++++++++++++++++++++++++++++++++++++++++++++++++++++++