Re: what does-sA and -sO mean? NT

[Ron <ron () skullsecurity net>]

You should check out the manpage for Nmap. Sorry if this gets wrapped poorly...

       -sA (TCP ACK scan)
           This scan is different than the others discussed so far in that it never determines open (or even
           open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful
           or not and which ports are filtered.

           The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning
           unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as
           unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is
           undetermined. Ports that dont respond, or send certain ICMP error messages back (type 3, code 1, 2,
           3, 9, 10, or 13), are labeled filtered.

       -sO (IP protocol scan)
           IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by
           target machines. This isnt technically a port scan, since it cycles through IP protocol numbers
           rather than TCP or UDP port numbers. Yet it still uses the -p option to select scanned protocol
           numbers, reports its results within the normal port table format, and even uses the same underlying
           scan engine as the true port scanning methods. So it is close enough to a port scan that it belongs
           here.

           Besides being useful in its own right, protocol scan demonstrates the power of open source software.
           While the fundamental idea is pretty simple, I had not thought to add it nor received any requests
           for such functionality. Then in the summer of 2000, Gerhard Rieger conceived the idea, wrote an
           excellent patch implementing it, and sent it to the nmap-hackers mailing list. I incorporated that
           patch into the Nmap tree and released a new version the next day. Few pieces of commercial software
           have users enthusiastic enough to design and contribute their own improvements!

           Protocol scan works in a similar fashion to UDP scan. Instead of iterating through the port number
           field of a UDP packet, it sends IP packet headers and iterates through the 8-bit IP protocol field.
           The headers are usually empty, containing no data and not even the proper header for the claimed
           protocol. The three exceptions are TCP, UDP, and ICMP. A proper protocol header for those is included
           since some systems wont send them otherwise and because Nmap already has functions to create them.
           Instead of watching for ICMP port unreachable messages, protocol scan is on the lookout for ICMP
           protocol unreachable messages. If Nmap receives any response in any protocol from the target host,
           Nmap marks that protocol as open. An ICMP protocol unreachable error (type 3, code 2) causes the
           protocol to be marked as closed Other ICMP unreachable errors (type 3, code 1, 3, 9, 10, or 13) cause
           the protocol to be marked filtered (though they prove that ICMP is open at the same time). If no
           response is received after retransmissions, the protocol is marked open|filtered



On Wed, 11 Aug 2010 09:41:47 +0000 MALTE SIMON
<malte_simon () hotmail com> wrote:
> NT = No Text                                    
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: _bin
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/