Re: Nmap/netwag problem.

[Fyodor <fyodor () insecure org>]

On Thu, Aug 11, 2005 at 04:07:41PM +0100, Paul J Docherty wrote:
> the question, which was I think, "which port scanner is giving the
> correct results?" As many others have elegantly answered use a
> packet sniffer and look at the raw data to see what's going on.

Many people have given that answer, and it is a good one.  But people
should also be aware of Nmap's --packet_trace feature, which is a very
easy way to see what packets Nmap is sending and receiving.  Let's
look at a quick example:

# nmap -P0 -p80,99,113 scanme.nmap.org

Starting nmap 3.84ALPHA1 ( http://www.insecure.org/nmap/ ) at 2005-08-12 15:18 PDT
Interesting ports on scanme.nmap.org (205.217.153.62):
PORT    STATE    SERVICE
80/tcp  open     http
99/tcp  filtered metagram
113/tcp closed   auth

Nmap finished: 1 IP address (1 host up) scanned in 1.272 seconds

Here we do a SYN scan (with no initial ping) against three ports, and
Nmap classifies them into 3 different states.  As posters to this
thread have explained, you sometimes want to know exactly _why_ Nmap
has classified them as it has.  To answer this question, simply add
--packet_trace to the command above:

# nmap -P0 --packet_trace -p80,99,113 scanme.nmap.org

Starting nmap 3.84ALPHA1 ( http://www.insecure.org/nmap/ ) at 2005-08-12 15:19 PDT
SENT (0.0120s) TCP 69.232.198.12:54012 > 205.217.153.62:113 S ttl=41 id=51165 iplen=40 seq=2511044273 win=2048
SENT (0.0120s) TCP 69.232.198.12:54012 > 205.217.153.62:80 S ttl=48 id=31631 iplen=40 seq=2511044273 win=1024
SENT (0.0160s) TCP 69.232.198.12:54012 > 205.217.153.62:99 S ttl=45 id=62221 iplen=40 seq=2511044273 win=2048
RCVD (0.0250s) TCP 205.217.153.62:113 > 69.232.198.12:54012 RA ttl=245 id=0 iplen=40 seq=0 win=0 ack=2511044274
RCVD (0.0260s) TCP 205.217.153.62:80 > 69.232.198.12:54012 SA ttl=54 id=0 iplen=44 seq=536353456 win=5840 ack=2511044274
SENT (1.1190s) TCP 69.232.198.12:54013 > 205.217.153.62:99 S ttl=48 id=24051 iplen=40 seq=2510978736 win=1024
Interesting ports on scanme.nmap.org (205.217.153.62):
PORT    STATE    SERVICE
80/tcp  open     http
99/tcp  filtered metagram
113/tcp closed   auth

Nmap finished: 1 IP address (1 host up) scanned in 1.232 seconds

As you can see above, Nmap starts by sending a SYN probe back to each
of the three ports.  Port 113 replies with the RA (RST/ACK) flags and
thus is listed by Nmap as closed.  Port 80 returns SA (SYN/ACK) and so
is listed as open.  Port 99 does not reply, so Nmap retransmits after
1.1 seconds.  There is still no reply, so Nmap lists the port as
filtered.

I hope this helps.  3.84ALPHA1 has not been formally released, but it
offers many improvements from 3.81 and you can snag a copy from
http://seclists.org/lists/nmap-dev/2005/Jul-Sep/0041.html .  You don't
ned this for --packet_trace though, as it has been around (and
steadily improving) since 2002.

Cheers,
Fyodor

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------