Nmap Development mailing list archives
RE: SF, SFP scans?
From: joe.pepin () guardent com
Date: Wed, 30 Oct 2002 14:11:52 -0500
Thanks! While the -sF works better against Linux, -sS works better (quicker) against Windows (and therefor probably BSD as well ;) Windows will happily send a SYNACK to an 0xEB. /joe .
-----Original Message----- From: Fyodor [mailto:fyodor () insecure org] Sent: Wednesday, October 30, 2002 1:16 PM To: Joe Pepin Cc: nmap-dev () insecure org Subject: Re: SF, SFP scans? On Wed, Oct 30, 2002 at 12:27:11PM -0500, joe.pepin () guardent com wrote: > I would like to modify nmap such that I can do a modified SYN scan where I > have the FIN or PUSH (or even URG, RST, X and Y) bits set. Stacks all over > the place are accepting packets like SFPUXY to start sessions, and I want to > see if any firewalls which pretend to be stateful will allow these through. > > I was able to kind-of do this the cheap, cheap, dirty way by modifying > netinet/tcp.h, but that's obviously ugly for lots of reasons and I > was Dear lord, that is ugly :). But I agree that specifying arbitrary flag values can be useful. It may not be documented, but recent versions of Nmap have a 'scanflags' options for doing this. For example, you can do a SYN|FIN scan as follows: felix/home/fyodor#nmap -sS --scanflags SINFIN -p20-25 db Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ ) Interesting ports on db.yuma.net (192.168.0.4): (The 5 ports scanned but not shown below are in state: closed) Port State Service 22/tcp filtered ssh Nmap run completed -- 1 IP address (1 host up) scanned in 2.288 seconds Only the "normal" flag names are supported, but you can provide a numerical argument to get at "X" and "Y". The way Linux reacts to SYN|FIN packets, it is really more of a FIN scan. So better results come from treating it that way: felix/home/fyodor#nmap -sF --scanflags SINFIN -p20-25 db Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ ) Interesting ports on db.yuma.net (192.168.0.4): (The 5 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh Nmap run completed -- 1 IP address (1 host up) scanned in 1.594 seconds Cheers, Fyodor
--------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- SF, SFP scans? joe . pepin (Oct 30)
- Re: SF, SFP scans? Fyodor (Oct 30)
- Re: SF, SFP scans? Fyodor (Oct 30)
- <Possible follow-ups>
- RE: SF, SFP scans? joe . pepin (Oct 30)
- Re: SF, SFP scans? Fyodor (Oct 30)