Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

scanme.insecure.org TCP handshake (3.59ALPHA7: About to go gold)

From: Martin Mačok <martin.macok () underground cz>
Date: Mon, 30 Aug 2004 16:08:49 +0200
[ this email contains long unwrapped text lines, sorry :-) ]

On Sun, Aug 29, 2004 at 03:26:35AM -0700, Fyodor wrote:


The command "nmap -T4 scanme.insecure.org" (which is against
a filtered-by-default machine)


Could you please explain its behavior when SYN scanning on open TCP
ports?

Lets "half-open" connection:

% nmap --packet_trace -P0 -sS -p22 scanme.insecure.org

Starting nmap 3.59ALPHA7 ( http://www.insecure.org/nmap/ ) at 2004-08-30 15:57 CEST
SENT (0.0030s) TCP 193.84.252.200:44746 > 205.217.153.55:22 S ttl=39 id=59424 iplen=40 seq=3600912504 win=4096
RCVD (0.2090s) TCP 205.217.153.55:22 > 193.84.252.200:44746 SA ttl=42 id=0 iplen=44 seq=2649899160 win=5840 
ack=3600912505
Interesting ports on scanme.insecure.org (205.217.153.55):
PORT   STATE SERVICE
22/tcp open  ssh

Nmap run completed -- 1 IP address (1 host up) scanned in 0.215 seconds


And see what is happening on the wire during and after that:

% tethereal host scanme.insecure.org
Capturing on eth0
  0.000000 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [SYN] Seq=3600912504 Ack=0 Win=4096 Len=0
  0.205689 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 
MSS=1460
  0.205728 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0
  4.251337 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 
MSS=1460
  4.251355 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0
 10.042602 205.217.153.55 -> 193.84.252.200 TCP ssh > 53802 [SYN, ACK] Seq=2628604108 Ack=4037269348 Win=5840 Len=0 
MSS=1460
 10.042622 193.84.252.200 -> 205.217.153.55 TCP 53802 > ssh [RST] Seq=4037269348 Ack=0 Win=0 Len=0
 10.233010 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 
MSS=1460
 10.233026 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0
 22.233725 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 
MSS=1460
 22.233744 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0
 34.041831 205.217.153.55 -> 193.84.252.200 TCP ssh > 53802 [SYN, ACK] Seq=2628604108 Ack=4037269348 Win=5840 Len=0 
MSS=1460
 34.041849 193.84.252.200 -> 205.217.153.55 TCP 53802 > ssh [RST] Seq=4037269348 Ack=0 Win=0 Len=0
 46.444227 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 
MSS=1460
 46.444261 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0
 82.233015 205.217.153.55 -> 193.84.252.200 TCP ssh > 53802 [SYN, ACK] Seq=2628604108 Ack=4037269348 Win=5840 Len=0 
MSS=1460
 82.233036 193.84.252.200 -> 205.217.153.55 TCP 53802 > ssh [RST] Seq=4037269348 Ack=0 Win=0 Len=0
 94.651784 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 
MSS=1460
 94.651804 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0


I have already seen this during a penetration test against some Linux
hosts but I couldn't explain it myself. It seems like the target is ignoring
the RST packet. Could you help, please? :-)

Martin Mačok
IT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org
Previous By Date Next
Previous By Thread Next

Current thread: