Nmap Development mailing list archives
Idle Scanning behind stateful firewalls
From: "Glyn Geoghegan" <nmap () moiler com>
Date: Fri, 26 Mar 2004 20:22:53 +1000
Hi all, I have a problem with nmap's Idle Scanning. http://www.insecure.org/nmap/idlescan.html The probes nmap sends to the Zombie are SYN/ACKs, which afaik is a flexible decision as the IPIDs increment the same regardless of whether a SYN or SYN/ACK is sent. But, because nmap uses a SYN/ACK, its probes get dropped by any stateful devices (coz they aren't part of an active connection), preventing their use as zombies. This prevents use of using a web server (e.g. 192.168.0.1) as a zombie to port-scan the rest of its network (e.g. 192.168.0.0/28) behind the firewall. I'm guessing it sends a SYN/ACK for performance reasons, as that will solicit a RST rather than a SYN/ACK that must be RST by nmap. Is there a way to change this? Have I missed an option somewhere? Or am I talking gibberish? Cheers, Glyn Geoghegan. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- Idle Scanning behind stateful firewalls Glyn Geoghegan (Mar 26)
- <Possible follow-ups>
- Re: Idle Scanning behind stateful firewalls Paul Johnston (Mar 26)
- RE: Idle Scanning behind stateful firewalls nmap (Mar 26)
- Re: Idle Scanning behind stateful firewalls uz - do not reply (Mar 26)
- Idle Scanning behind stateful firewalls nmap (Mar 26)
- Re: Idle Scanning behind stateful firewalls CBuH. (Mar 27)