Nmap Development mailing list archives
Re: TCP Split Handshake and Nmap
From: jah <jah () zadkiel plus com>
Date: Wed, 09 Jun 2010 00:58:38 +0100
On 08/06/2010 18:26, David Fifield wrote:
On Fri, Jun 04, 2010 at 04:22:55PM +0100, jah wrote:The attached patch does very little work since the split handshake SYN passes the existing checks for dest port matching a probe source port; it adds a test for the SYN flag right after the test for SYN|ACK for SYN scans.+ } else if (USI->scantype == SYN_SCAN && tcp->th_flags == TH_SYN) { Just one thing I would change here: + } else if (USI->scantype == SYN_SCAN && (tcp->th_flags & TH_SYN) == TH_SYN) { That way it will work with a SYN|URG or SYN|PSH or something else silly. Putting this test after the SYN|ACK test lets SYN|ACK continue giving the correct reason code.
Hi David, All, If we're going make the rule catch all resposes with the SYN bit set (and optionally other bits), except for SYN|ACK, perhaps the reason string should be changed also because "split-hanshake-syn" wouldn't then convey the full information. We could instead leave the reason string as it is and print a message to the effect that a response received was evidence of a split handshake and print the tcp flag value. Or we could do both and make the reason string 'syn-other' or something. jah _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- TCP Split Handshake and Nmap jah (Jun 02)
- what is ER_INITACK? jah (Jun 02)
- Re: TCP Split Handshake and Nmap Fyodor (Jun 03)
- Re: TCP Split Handshake and Nmap Fyodor (Jun 03)
- Re: TCP Split Handshake and Nmap jah (Jun 04)
- Re: TCP Split Handshake and Nmap Fyodor (Jun 07)
- Re: TCP Split Handshake and Nmap jah (Jun 07)
- Re: TCP Split Handshake and Nmap David Fifield (Jun 08)
- Re: TCP Split Handshake and Nmap jah (Jun 08)
- Re: TCP Split Handshake and Nmap David Fifield (Jun 08)
- Re: TCP Split Handshake and Nmap Fyodor (Jun 10)