Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bug: specified source port not honored in ncat

From: Gabriel Friedmann <gabriel () gsource org>
Date: Wed, 19 May 2010 12:18:24 -0500
Thank you, David.

I found that the server i was using also had a webserver running on TCP port
80. This prevented ncat from binding to source port 80.  What confused me
was that NMAP syn scan was still able to run (which is how i found the open
ports to begin with).

I expected ncat to complain loudly and fail if it could not honor my
request. Instead it went for a best-effort to get the job done. That is
friendlier behavior than i was expecting and it puzzled me when services
were not being version checked after the ports were determined to be open
with a syn scan.

Of course, there are other cases where TCP ports may be detected open and
fail an actual handshake, so i agree that this was not a bug. Sorry about
that.

As for the suspected related issue (which turns out may be unrelated): Even
with the webserver off and ncat verified to be setting the source port as
specified, i still seeing NSE not honoring the source port flag when trying
to do a version scan.



On Wed, May 19, 2010 at 11:41 AM, David Fifield <david () bamsoftware com>wrote:


On Tue, May 18, 2010 at 01:13:18PM -0500, Gabriel Friedmann wrote:

Bug: Specifying --source-port (or -p) for ncat conections does not appear

to

be honored.

Ncat: Version 5.30BETA1

My host: Linux, CentOS 5.5

Please note that the source (ghost) source port is selected to be 40967
instead of the specified port 80.

---------Command---------
[gabriel@ghost ~]$ *sudo ncat -vvv --source-port 80 74.125.79.99 80*
Ncat: Version 5.30BETA1 ( http://nmap.org/ncat )
NSOCK (0.0030s) TCP connection requested to 74.125.79.99:80 (IOD #1) EID

8

NSOCK (0.0030s) Bind to 0.0.0.0 failed (IOD #1) EID 8
NSOCK (0.0230s) Callback: CONNECT SUCCESS for EID 8 [74.125.79.99:80]
Ncat: Connected to 74.125.79.99:80.
NSOCK (0.0230s) Read request from IOD #1 [74.125.79.99:80] (timeout:

-1ms)

EID 18
NSOCK (0.0230s) Read request for 0 bytes from IOD #2 (peer unspecified)

EID

26


This looks like it is caused by some configuration of your system.
Notice the line

NSOCK (0.0030s) Bind to 0.0.0.0 failed (IOD #1) EID 8

That means that Ncat tried to set the source port but the operating
system did not allow it. Maybe it's because of SELinux or something
else.

Setting the source port works for me.

# ncat -vvv -p 80 google.com 80
Ncat: Version 5.30BETA1 ( http://nmap.org/ncat )
NSOCK (0.0030s) TCP connection requested to 66.102.7.104:80 (IOD #1) EID 8
NSOCK (0.1120s) Callback: CONNECT SUCCESS for EID 8 [66.102.7.104:80]
Ncat: Connected to 66.102.7.104:80.
NSOCK (0.1120s) Read request from IOD #1 [66.102.7.104:80] (timeout: -1ms)
EID 18
NSOCK (0.1120s) Read request for 0 bytes from IOD #2 (peer unspecified) EID
26

And the tcpdump output:

10:38:40.991011 IP 192.168.0.21.80 > 66.102.7.104.80: Flags [S], seq
3032478975, win 5792, options [mss 1460,sackOK,TS val 95159737 ecr
2587190733,nop,wscale 5], length 0
10:38:41.095993 IP 66.102.7.104.80 > 192.168.0.21.80: Flags [S.], seq
990492735, ack 3032478976, win 5672, options [mss 1430,sackOK,TS val
2587206052 ecr 95159737,nop,wscale 6], length 0
10:38:41.096088 IP 192.168.0.21.80 > 66.102.7.104.80: Flags [.], ack 1, win
181, options [nop,nop,TS val 95159842 ecr 2587206052], length 0

David Fifield


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: