Nmap Development mailing list archives
Re: nmap -sT localhost showing ephemeral ports?
From: Robin Wood <robin () digininja org>
Date: Wed, 12 Feb 2014 20:57:04 +0000
On 12 Feb 2014 20:27, "Fyodor" <fyodor () nmap org> wrote:
20:17:03 bonsaiviking $ <ketilmore6> turns out the nmap -p 1-65000
was
finding open ports by accident because source port sometimes was equal
to
destination port. (birthday paradox) 20:17:07 bonsaiviking $ wtf 20:18:58 bonsaiviking $ confirmed on svn r32703 20:19:31 bonsaiviking $ but only with -sTYeah, Linux has long had this "feature" (I consider it a bug) where if you attempt a connect() to a closed port on localhost, sometimes the kernel will by luck choose the source port of the connection you're trying to establish to be the same as the destination and you end up effectively connected to yourself. Anything you type is echoed back to you. I think this should be fixed in the kernel. It is in charge of assigning the source port and it should check and avoid assigning the port you're trying to connect to. After all, it can lead to real-world problems
beyond
just port scanners like Nmap. Suppose you have an application running on
a
high port and you try to connect to it. And suppose it has crashed or wasn't started properly. You should get a connection refused so you know what is going on. Instead the connection can sometimes succeed and get in this bizarre self-connected state. Anyway, while I think it should be fixed in the kernel, I don't foresee that happening. I reported it to the Linux kernel mailing list nearly 15 years ago and offered to submit a patch, but it was shot down by David Miller who still seems to be pretty much in charge of Linux networking. Here's the thread: https://lkml.org/lkml/1999/8/29/111
I'd have thought that to anyone reading your bug report it would be obvious that there is something wrong. He is correct that it is legal to connect to yourself he just seemed to miss the point. Is it worth resubmitting it now you have the reputation you do and would have quite a bit of backing? Robin
So we should probably just work around it ourselves. The easiest way
might
be to choose our own source port for each connection and bind() to it rather than implicitly allow the kernel choose an ephemeral source port. We should probably only do this on Linux unless we find the problem on other systems. We might limit it to localhost connections too. Of course we'd need a loop so that if the bind fails (the port we choose might already be in use) we can choose another one until we succeed. You can intentionally create this sort of self-connection with Ncat by specifying the same source and dest port: $ ncat -v -p 31338 localhost 31338 Ncat: Version 6.40 ( http://nmap.org/ncat ) Ncat: Connected to 127.0.0.1:31338. Woo! Self-connected Woo! Self-connected ^C Cheers, Fyodor _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap -sT localhost showing ephemeral ports? Jacek Wielemborek (Feb 08)
- Re: nmap -sT localhost showing ephemeral ports? Kris Katterjohn (Feb 08)
- Re: nmap -sT localhost showing ephemeral ports? Daniel Miller (Feb 08)
- Re: nmap -sT localhost showing ephemeral ports? Daniel Miller (Feb 14)
- Re: nmap -sT localhost showing ephemeral ports? Daniel Miller (Feb 14)
- Re: nmap -sT localhost showing ephemeral ports? Daniel Miller (Feb 15)
- Re: nmap -sT localhost showing ephemeral ports? Kris Katterjohn (Feb 08)
- Re: nmap -sT localhost showing ephemeral ports? Fyodor (Feb 12)
- Re: nmap -sT localhost showing ephemeral ports? Robin Wood (Feb 12)
- Re: nmap -sT localhost showing ephemeral ports? Fyodor (Feb 13)
- Re: nmap -sT localhost showing ephemeral ports? Robin Wood (Feb 12)