Re: scanme.insecure.org TCP handshake (3.59ALPHA7: About to go gold)

[Fyodor <fyodor () insecure org>]

On Mon, Aug 30, 2004 at 04:08:49PM +0200, Martin Ma?ok wrote:
> And see what is happening on the wire during and after that:
>
> % tethereal host scanme.insecure.org
> Capturing on eth0
>   0.000000 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [SYN] Seq=3600912504 Ack=0 Win=4096 Len=0
>   0.205689 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 
> MSS=1460
>   0.205728 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0
>   4.251337 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 
> MSS=1460
>   4.251355 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0
>  10.042602 205.217.153.55 -> 193.84.252.200 TCP ssh > 53802 [SYN, ACK] Seq=2628604108 Ack=4037269348 Win=5840 Len=0 
> MSS=1460
>  10.042622 193.84.252.200 -> 205.217.153.55 TCP 53802 > ssh [RST] Seq=4037269348 Ack=0 Win=0 Len=0

Is tethereal running on the source host?  Maybe the RST isn't making
its way to the destination because of host firewall rules on the src
host?  Have you tried running this on the target to see whether the
RST packets show up?  Like you said, it does look like the target is
ignoring them.  Nmap does not send the RSTs, they are sent by the
kernel, so they should be just like any other RSTs that host sends.

Cheers,
-F

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org