Re: TCP Split Handshake and Nmap

[jah <jah () zadkiel plus com>]

On 08/06/2010 18:26, David Fifield wrote:
> On Fri, Jun 04, 2010 at 04:22:55PM +0100, jah wrote:
>   
> > The attached patch does very little work since the split handshake SYN
> > passes the existing checks for dest port matching a probe source port;
> > it adds a test for the SYN flag right after the test for SYN|ACK for SYN
> > scans.
> >     
> +         } else if (USI->scantype == SYN_SCAN && tcp->th_flags == TH_SYN) {
>
> Just one thing I would change here:
>
> +         } else if (USI->scantype == SYN_SCAN && (tcp->th_flags & TH_SYN) == TH_SYN) {
>
> That way it will work with a SYN|URG or SYN|PSH or something else silly.
> Putting this test after the SYN|ACK test lets SYN|ACK continue giving
> the correct reason code.
>   

Hi David, All,

If we're going make the rule catch all resposes with the SYN bit set
(and optionally other bits), except for SYN|ACK, perhaps the reason
string should be changed also because "split-hanshake-syn" wouldn't then
convey the full information.  We could instead leave the reason string
as it is and print a message to the effect that a response received was
evidence of a split handshake and print the tcp flag value.  Or we could
do both and make the reason string 'syn-other' or something.

jah
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/