Nmap Development mailing list archives
nmap 4: Still no MSS in SYN scans?
From: Juergen Schmidt <ju () heisec de>
Date: Wed, 1 Feb 2006 14:01:41 +0100 (CET)
Hello, in November I reported, that nmap SYN scans can be easily detected and blocked, because they do not set TCP MSS. All TCP/IP implementations I checked, do set MSS on the initial SYN packet of a new TCP connection. See: http://seclists.org/lists/nmap-dev/2005/Oct-Dec/0113.html As far as I can see, there is still no option to set MSS on SYN scans in nmap 4. Or did I miss something? Are there any plans to include an option, that sets the MSS on the syn packets generated for TCP syn scans? To recap a short POC: --- # ./nmap -p 22,23 -sS thor Starting Nmap 4.00 ... Interesting ports on thor ...: PORT STATE SERVICE 22/tcp open ssh 23/tcp closed telnet ======== thor# iptables -I INPUT -p tcp --syn --tcp-option \! 2 -j DROP ======== # ./nmap -p 22,23 -sS thor ... PORT STATE SERVICE 22/tcp filtered ssh 23/tcp filtered telnet # ./nmap -p 22,23 -sT thor ... PORT STATE SERVICE 22/tcp open ssh 23/tcp closed telnet ------- As you can see, after setting the iptables rule, nmap -sS reports the ports as filtered but they are in fact open/closed -- as shown by the last connect scan. I can connect via ssh too. bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju () heisec de GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- nmap 4: Still no MSS in SYN scans? Juergen Schmidt (Feb 01)
- Re: nmap 4: Still no MSS in SYN scans? Fyodor (Feb 02)
- Re: nmap 4: Still no MSS in SYN scans? Richard Moore (Feb 03)
- Re: nmap 4: Still no MSS in SYN scans? Fyodor (Feb 02)