Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Maybe bug, with -sP und ASA sending RST for denied networks

From: Pluto <pluto () stderr de>
Date: Fri, 26 Oct 2007 14:50:59 +0200
On Wed, Oct 24, 2007 at 02:59:36PM -0400, Dario Ciccarone (dciccaro) wrote:

Hm. If "ASA" refers to the Cisco Adaptive Security Appliance, there is a
possible explanation - whoever configured the device enabled the
"service resetinbound" option:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.
html#wp1348346

The ICMP probe might then be dropped, and the probe to 80/tcp replied
with an RST. Hard then to determine what is going on just by looking at
a packet capture and with no additional info. My money would be on
"resetinbound" plus ACL dropping ICMP echo request. But it could also be
that the ruleset drops indeed ICMP echo request, but has an entry that
says "permit tcp any host X" - and host X isn't actually listening on
80/tcp.


  Actually it would be possible to detect such a behaviour, as in my
experience this devices are before a firewall, so nmap usually sees very
much RSTs, like ping is dead *and* all scanned ports are "closed", which is 
odd and could be noticed. Other thing is, when the TTL of the RST is lower 
than the TTL of a SYN-ACK this could be noticed by nmap as well. With hping 
you get to see this details, so can differentiate manually.

  Gruss

-- 
  Pluto   -   SysAdmin of Hades
  Free information! Freedom through knowledge. Wisdom for all!! =:-)
  PGP://0xB4BBB4A9?524CB500A8F3EAA2&6A3E5272F9072A17  ICQ: 286852401

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: