Nmap Development mailing list archives

Re: Idle Scanning behind stateful firewalls

From: "CBuH." <479001601 () mail ru>
Date: Sun, 28 Mar 2004 02:17:20 +0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Hi everyone,

My thoughts on the case of "nmap's sending of SYN+ACK to the Idle" is that if
it would be SYN only, then Idle should send SYN+ACK,... (rfc -- yes??) ...
but it will retry sending more SYN+ACK's if it then found nothing on reply.
Right? Then we know nothing on the quantity and the timeout of those retries,
and the IPID would increase ancommonly. We can try Idle for these config
(quant.&timeout) but it will increase the time of scanning one port to
minutes.

That is all IMHO. :-)


On Friday 26 March 2004 13:22, Glyn Geoghegan wrote:

Hi all,

I have a problem with nmap's Idle Scanning.
http://www.insecure.org/nmap/idlescan.html

The probes nmap sends to the Zombie are SYN/ACKs, which afaik is a flexible
decision as the IPIDs increment the same regardless of whether a SYN or
SYN/ACK is sent.

But, because nmap uses a SYN/ACK, its probes get dropped by any stateful
devices (coz they aren't part of an active connection), preventing their
use as zombies.

This prevents use of using a web server (e.g. 192.168.0.1) as a zombie to
port-scan the rest of its network (e.g. 192.168.0.0/28) behind the
firewall.

I'm guessing it sends a SYN/ACK for performance reasons, as that will
solicit a RST rather than a SYN/ACK that must be RST by nmap.

Is there a way to change this?  Have I missed an option somewhere?  Or am I
talking gibberish?

Cheers,
Glyn Geoghegan.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org


- --

        CBuH. CG[CX] XVyGYjau 479001600(at)mail.ru, ICQ#70929413
        GnuPG(PGP) public key is: http://www.vinnied.narod.ru/pubkey.asc
        http://www.vinnied.narod.ru


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFAZguG5Cj3gqxcdCoRAqw/AJ48LxfXuZHp93Ao3AgWLuASq9KyhQCfRZiv
21NO54bdQX4EAeNWUBclgRk=
=bCwv
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

Idle Scanning behind stateful firewalls Glyn Geoghegan (Mar 26)
- <Possible follow-ups>
- Re: Idle Scanning behind stateful firewalls Paul Johnston (Mar 26)
  - RE: Idle Scanning behind stateful firewalls nmap (Mar 26)
- Re: Idle Scanning behind stateful firewalls uz - do not reply (Mar 26)
- Idle Scanning behind stateful firewalls nmap (Mar 26)
- Re: Idle Scanning behind stateful firewalls CBuH. (Mar 27)