SF, SFP scans?

[joe.pepin () guardent com]

Hello, everyone.

I am new to this list.  I use nmap almost every day, but just recently
started looking at the code and I had a (hopefully quick) question.

I would like to modify nmap such that I can do a modified SYN scan where I
have the FIN or PUSH (or even URG, RST, X and Y) bits set.  Stacks all over
the place are accepting packets like SFPUXY to start sessions, and I want to
see if any firewalls which pretend to be stateful will allow these through.

I was able to kind-of do this the cheap, cheap, dirty way by modifying
netinet/tcp.h, but that's obviously ugly for lots of reasons and I was
wondering if anyone already has such a patch, or if it's been discussed
before, and where in the code I should start to look if nobody has already
done it.

Ideally, there would be a set of options like hping such that one could
simply specify the bits to be set.

(BTW changing TH_SYN in tcp.h does let me easily generate SF, or SFP, or
SFPU packets easily, but of course, due to changing the definition of a SYN,
nmap doesn't seem to be parsing the return packets correctly in all cases,
but for a simple change of TH_SYN to 0x03 (SF) it works pretty well, open
just shows up as filtered.  It's pretty cool just to run it and watch
tcpdump for details).

Thanks in advance.

/joe
--------------------
Joe Pepin
SOC Engineer
Guardent Inc. 

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).