Nmap Development mailing list archives
Re: Idle Scanning behind stateful firewalls
From: "CBuH." <479001601 () mail ru>
Date: Sun, 28 Mar 2004 02:17:20 +0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone, My thoughts on the case of "nmap's sending of SYN+ACK to the Idle" is that if it would be SYN only, then Idle should send SYN+ACK,... (rfc -- yes??) ... but it will retry sending more SYN+ACK's if it then found nothing on reply. Right? Then we know nothing on the quantity and the timeout of those retries, and the IPID would increase ancommonly. We can try Idle for these config (quant.&timeout) but it will increase the time of scanning one port to minutes. That is all IMHO. :-) On Friday 26 March 2004 13:22, Glyn Geoghegan wrote:
Hi all, I have a problem with nmap's Idle Scanning. http://www.insecure.org/nmap/idlescan.html The probes nmap sends to the Zombie are SYN/ACKs, which afaik is a flexible decision as the IPIDs increment the same regardless of whether a SYN or SYN/ACK is sent. But, because nmap uses a SYN/ACK, its probes get dropped by any stateful devices (coz they aren't part of an active connection), preventing their use as zombies. This prevents use of using a web server (e.g. 192.168.0.1) as a zombie to port-scan the rest of its network (e.g. 192.168.0.0/28) behind the firewall. I'm guessing it sends a SYN/ACK for performance reasons, as that will solicit a RST rather than a SYN/ACK that must be RST by nmap. Is there a way to change this? Have I missed an option somewhere? Or am I talking gibberish? Cheers, Glyn Geoghegan. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
- -- CBuH. CG[CX] XVyGYjau 479001600(at)mail.ru, ICQ#70929413 GnuPG(PGP) public key is: http://www.vinnied.narod.ru/pubkey.asc http://www.vinnied.narod.ru -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFAZguG5Cj3gqxcdCoRAqw/AJ48LxfXuZHp93Ao3AgWLuASq9KyhQCfRZiv 21NO54bdQX4EAeNWUBclgRk= =bCwv -----END PGP SIGNATURE----- --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- Idle Scanning behind stateful firewalls Glyn Geoghegan (Mar 26)
- <Possible follow-ups>
- Re: Idle Scanning behind stateful firewalls Paul Johnston (Mar 26)
- RE: Idle Scanning behind stateful firewalls nmap (Mar 26)
- Re: Idle Scanning behind stateful firewalls uz - do not reply (Mar 26)
- Idle Scanning behind stateful firewalls nmap (Mar 26)
- Re: Idle Scanning behind stateful firewalls CBuH. (Mar 27)