Nmap Development mailing list archives
NULL scan response
From: Matthew Stickney <stickney () qacafe com>
Date: Wed, 13 Jul 2011 10:56:19 -0400
Hi, While running some scans today, I noticed something strange. Some machines respond to a NULL scan probe with a RST/ACK packet rather than a plain RST. This is clearly different than receiving no response, or getting an ICMP unreachable error, but NMap still lists the port as open|filtered. I noticed similar behavior with FIN and Xmas scans (one machine sends FIN/PUSH/URG in response to Xmas, another RST/ACK, but in both cases NMap lists the port as open|filtered). The relevant RFC requires a plain RST to be sent, but is labelling these ports open|filtered the expected behavior from NMap, or a bug? Example scan follows. $ sudo nmap 172.16.1.198 -n -Pn -sN --packet-trace -p 50 Starting Nmap 5.51 ( http://nmap.org ) at 2011-07-13 10:44 EDT SENT (0.2370s) ARP who-has 172.16.1.198 tell 172.16.1.181 RCVD (0.2380s) ARP reply 172.16.1.198 is-at 00:1C:C0:93:33:FB SENT (0.5660s) TCP 172.16.1.181:61318 > 172.16.1.198:50 ttl=58 id=37325 iplen=40 seq=748468818 win=3072 RCVD (0.5760s) TCP 172.16.1.198:50 > 172.16.1.181:61318 RA ttl=64 id=0 iplen=40 seq=0 win=0 SENT (0.6670s) TCP 172.16.1.181:61319 > 172.16.1.198:50 ttl=48 id=2691 iplen=40 seq=748534355 win=1024 RCVD (0.6670s) TCP 172.16.1.198:50 > 172.16.1.181:61319 RA ttl=64 id=0 iplen=40 seq=0 win=0 Nmap scan report for 172.16.1.198 Host is up (0.00018s latency). PORT STATE SERVICE 50/tcp open|filtered re-mail-ck Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds --Matt Stickney _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NULL scan response Matthew Stickney (Jul 13)
- Re: NULL scan response David Fifield (Jul 18)
- Re: NULL scan response Matthew Stickney (Jul 19)
- Message not available
- Re: NULL scan response Joe McEachern (Aug 16)
- Re: NULL scan response Fyodor (Aug 19)
- Re: NULL scan response Joe McEachern (Aug 19)
- Re: NULL scan response David Fifield (Aug 24)
- Re: NULL scan response David Fifield (Jul 18)