Nmap Development mailing list archives
Re: Nmap marking ports with invalid SYN+ACK TCP checksums as open?
From: Jay Bosamiya <jaybosamiya () gmail com>
Date: Mon, 23 Jun 2014 21:30:05 +0530
List, Just copying some of my comments from IRC here:
just a thought: it's highly improbable to get a bad checksum a second time... unless its specifically been made bad (by a firewall trying to confuse nmap)... we could use this fact...
if the target is specifically generating bogus checksums, then it'll do it all the time... whereas in a normal case (caused due to a random bit flip) a second try by nmap should give a proper checksum... this way we can decide whether it is a firewall or just random environmental fluctuations...
I see that bonsaiviking has made some comments on IRC (and will be posting them here in a while, AFAIK). Cheers, Jay On Monday 23 June 2014 06:20 PM, Jacek Wielemborek wrote:
List, Yesterday I discovered that if Nmap receives a SYN+ACK during a SYN scanning that has an invalid TCP checksum, it will say that this port is open. This is different than how operating systems behave and exploiting it sounds like an easy way to confuse the scanner. Why is it implemented this way? bonsaiviking on IRC suggested it might be "that we'd rather not miss an open port just because of a bitflip error somewhere". Still, this might be an interesting piece of information that the host is responding with corrupt checksums, so maybe Nmap should at least print a warning message if this happens? Yours, Jacek Wielemborek
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap marking ports with invalid SYN+ACK TCP checksums as open? Jacek Wielemborek (Jun 23)
- Re: Nmap marking ports with invalid SYN+ACK TCP checksums as open? Jay Bosamiya (Jun 23)
- Re: Nmap marking ports with invalid SYN+ACK TCP checksums as open? Daniel Miller (Jun 23)