Nmap Development mailing list archives
Re: osscan2.cc ACK/URG anomaly
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 9 Aug 2014 15:13:18 -0500
Gisle, The documentation on Nmap's OS detection [1] has this to say regarding the urgent field:
TCP explicit congestion notification (ECN): [...] For an unrelated (to
ECN)
test, the urgent field value of 0xF7F5 is used even though the urgent
flag is
not set. [...]
Then later:
The other quirk Nmap tests for is a nonzero urgent pointer field value
when
the URG flag is not set. This is also particularly likely to be seen in response to the ECN probe, which sets a non-zero urgent field.
Regarding acknowledgement number,
The sequence and acknowledgment numbers are random (but saved so Nmap can differentiate responses).
This is the HostOsScan::tcpAck member in osscan2.cc. Perhaps it would be best only to send this when the ACK flag is set, but that might invalidate some of our OS database. Regardless, this is the intended behavior, not a bug. Thanks for the questions! Answering this sort of thing always teaches me something new, too. Dan [1] http://nmap.org/book/osdetect-methods.html On Sat, Aug 9, 2014 at 5:37 AM, Gisle Vanem <gvanem () yahoo no> wrote:
Regarding my message: http://seclists.org/nmap-dev/2014/q1/169 I think I've found the cause of this ACK/URG anomaly. But would like to ask here first... void HostOsScan::sendTEcnProbe(HostOsScanStats *hss) { ... send_tcp_probe(hss, o.ttl, false, NULL, 0, tcpPortBase + NUM_SEQ_SAMPLES + 6, hss->openTCPPort, tcpSeqBase, 0, 8, TH_CWR|TH_ECE|TH_SYN, prbWindowSz[6], 63477, << line 1791 prbOpts[6].val, prbOpts[6].len, NULL, 0); } Why does it send a URG-value without the TH_URG flag set here? IMHO, this should be: 8, TH_CWR|TH_ECE|TH_SYN|TH_URG, prbWindowSz[6], 63477, The same problem with the ACK-flag; in several places the 'tcpAck != 0' member can be sent with no TH_ACK set. Is this an oversight or working as designed? So now after a local patch to osscan2.cc, the 'nmap -sT -ddd ...' output for call at line 1791 gives: SENT (6.3910s) TCP [10.0.0.6:39171 > 10.0.0.1:22 SUEC seq=250798708 ack=0 off=8 res=8 win=3 csum=0xC6B7 urp=63477 <wscale 10,nop,mss 1460,sackOK, nop,nop>] IP [ver=4 ihl=5 tos=0x00 iplen=52 id=63235 foff=0 ttl=49 proto=6 csum=0x7eba] Send probe (type: OFP_TECN, subid: 0) to 10.0.0.1 The 'U' says the URG-value is !=0. Makes more sense? --gv _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- osscan2.cc ACK/URG anomaly Gisle Vanem (Aug 09)
- Re: osscan2.cc ACK/URG anomaly Daniel Miller (Aug 09)
- Re: osscan2.cc ACK/URG anomaly Gisle Vanem (Aug 10)
- Re: osscan2.cc ACK/URG anomaly Daniel Miller (Aug 09)