Nmap Development mailing list archives
scanme.insecure.org TCP handshake (3.59ALPHA7: About to go gold)
From: Martin Mačok <martin.macok () underground cz>
Date: Mon, 30 Aug 2004 16:08:49 +0200
[ this email contains long unwrapped text lines, sorry :-) ] On Sun, Aug 29, 2004 at 03:26:35AM -0700, Fyodor wrote:
The command "nmap -T4 scanme.insecure.org" (which is against a filtered-by-default machine)
Could you please explain its behavior when SYN scanning on open TCP ports? Lets "half-open" connection: % nmap --packet_trace -P0 -sS -p22 scanme.insecure.org Starting nmap 3.59ALPHA7 ( http://www.insecure.org/nmap/ ) at 2004-08-30 15:57 CEST SENT (0.0030s) TCP 193.84.252.200:44746 > 205.217.153.55:22 S ttl=39 id=59424 iplen=40 seq=3600912504 win=4096 RCVD (0.2090s) TCP 205.217.153.55:22 > 193.84.252.200:44746 SA ttl=42 id=0 iplen=44 seq=2649899160 win=5840 ack=3600912505 Interesting ports on scanme.insecure.org (205.217.153.55): PORT STATE SERVICE 22/tcp open ssh Nmap run completed -- 1 IP address (1 host up) scanned in 0.215 seconds And see what is happening on the wire during and after that: % tethereal host scanme.insecure.org Capturing on eth0 0.000000 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [SYN] Seq=3600912504 Ack=0 Win=4096 Len=0 0.205689 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 MSS=1460 0.205728 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0 4.251337 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 MSS=1460 4.251355 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0 10.042602 205.217.153.55 -> 193.84.252.200 TCP ssh > 53802 [SYN, ACK] Seq=2628604108 Ack=4037269348 Win=5840 Len=0 MSS=1460 10.042622 193.84.252.200 -> 205.217.153.55 TCP 53802 > ssh [RST] Seq=4037269348 Ack=0 Win=0 Len=0 10.233010 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 MSS=1460 10.233026 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0 22.233725 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 MSS=1460 22.233744 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0 34.041831 205.217.153.55 -> 193.84.252.200 TCP ssh > 53802 [SYN, ACK] Seq=2628604108 Ack=4037269348 Win=5840 Len=0 MSS=1460 34.041849 193.84.252.200 -> 205.217.153.55 TCP 53802 > ssh [RST] Seq=4037269348 Ack=0 Win=0 Len=0 46.444227 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 MSS=1460 46.444261 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0 82.233015 205.217.153.55 -> 193.84.252.200 TCP ssh > 53802 [SYN, ACK] Seq=2628604108 Ack=4037269348 Win=5840 Len=0 MSS=1460 82.233036 193.84.252.200 -> 205.217.153.55 TCP 53802 > ssh [RST] Seq=4037269348 Ack=0 Win=0 Len=0 94.651784 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 MSS=1460 94.651804 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0 I have already seen this during a penetration test against some Linux hosts but I couldn't explain it myself. It seems like the target is ignoring the RST packet. Could you help, please? :-) Martin Mačok IT Security Consultant --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- 3.59ALPHA7: About to go gold Fyodor (Aug 29)
- Re: 3.59ALPHA7: About to go gold Grishnav (Aug 29)
- Re: 3.59ALPHA7: About to go gold Fyodor (Aug 29)
- scanme.insecure.org TCP handshake (3.59ALPHA7: About to go gold) Martin Mačok (Aug 30)
- Re: scanme.insecure.org TCP handshake (3.59ALPHA7: About to go gold) Fyodor (Aug 30)
- Re: scanme.insecure.org TCP handshake (3.59ALPHA7: About to go gold) Martin Mačok (Aug 31)
- Re: scanme.insecure.org TCP handshake (3.59ALPHA7: About to go gold) Fyodor (Aug 30)
- Re: 3.59ALPHA7: About to go gold Grishnav (Aug 29)