Nmap Development mailing list archives
SF, SFP scans?
From: joe.pepin () guardent com
Date: Wed, 30 Oct 2002 12:27:11 -0500
Hello, everyone. I am new to this list. I use nmap almost every day, but just recently started looking at the code and I had a (hopefully quick) question. I would like to modify nmap such that I can do a modified SYN scan where I have the FIN or PUSH (or even URG, RST, X and Y) bits set. Stacks all over the place are accepting packets like SFPUXY to start sessions, and I want to see if any firewalls which pretend to be stateful will allow these through. I was able to kind-of do this the cheap, cheap, dirty way by modifying netinet/tcp.h, but that's obviously ugly for lots of reasons and I was wondering if anyone already has such a patch, or if it's been discussed before, and where in the code I should start to look if nobody has already done it. Ideally, there would be a set of options like hping such that one could simply specify the bits to be set. (BTW changing TH_SYN in tcp.h does let me easily generate SF, or SFP, or SFPU packets easily, but of course, due to changing the definition of a SYN, nmap doesn't seem to be parsing the return packets correctly in all cases, but for a simple change of TH_SYN to 0x03 (SF) it works pretty well, open just shows up as filtered. It's pretty cool just to run it and watch tcpdump for details). Thanks in advance. /joe -------------------- Joe Pepin SOC Engineer Guardent Inc. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- SF, SFP scans? joe . pepin (Oct 30)
- Re: SF, SFP scans? Fyodor (Oct 30)
- Re: SF, SFP scans? Fyodor (Oct 30)
- <Possible follow-ups>
- RE: SF, SFP scans? joe . pepin (Oct 30)
- Re: SF, SFP scans? Fyodor (Oct 30)