Re: Nmap marking ports with invalid SYN+ACK TCP checksums as open?

[Jay Bosamiya <jaybosamiya () gmail com>]

List,

Just copying some of my comments from IRC here:

> just a thought: it's highly improbable to get a bad checksum a second
> time... unless its specifically been made bad (by a firewall trying to
> confuse nmap)... we could use this fact...

> if the target is specifically generating bogus checksums, then it'll
> do it all the time... whereas in a normal case (caused due to a random
> bit flip) a second try by nmap should give a proper checksum... this
> way we can decide whether it is a firewall or just random
> environmental fluctuations...

I see that bonsaiviking has made some comments on IRC (and will be
posting them here in a while, AFAIK).

Cheers,
Jay

On Monday 23 June 2014 06:20 PM, Jacek Wielemborek wrote:
> List,
>
> Yesterday I discovered that if Nmap receives a SYN+ACK during a 
> SYN scanning that has an invalid TCP checksum, it will say that 
> this port is open. This is different than how operating systems 
> behave and exploiting it sounds like an easy way to confuse the 
> scanner. 
>
> Why is it implemented this way? bonsaiviking on IRC suggested it 
> might be "that we'd rather not miss an open port just because of 
> a bitflip error somewhere". Still, this might be an interesting 
> piece of information that the host is responding with corrupt 
> checksums, so maybe Nmap should at least print a warning message 
> if this happens?
>
> Yours,
> Jacek Wielemborek

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/