Penetration Testing mailing list archives
Re: Nmap/netwag problem.
From: Fyodor <fyodor () insecure org>
Date: Fri, 12 Aug 2005 15:33:36 -0700
On Thu, Aug 11, 2005 at 04:07:41PM +0100, Paul J Docherty wrote:
the question, which was I think, "which port scanner is giving the correct results?" As many others have elegantly answered use a packet sniffer and look at the raw data to see what's going on.
Many people have given that answer, and it is a good one. But people should also be aware of Nmap's --packet_trace feature, which is a very easy way to see what packets Nmap is sending and receiving. Let's look at a quick example: # nmap -P0 -p80,99,113 scanme.nmap.org Starting nmap 3.84ALPHA1 ( http://www.insecure.org/nmap/ ) at 2005-08-12 15:18 PDT Interesting ports on scanme.nmap.org (205.217.153.62): PORT STATE SERVICE 80/tcp open http 99/tcp filtered metagram 113/tcp closed auth Nmap finished: 1 IP address (1 host up) scanned in 1.272 seconds Here we do a SYN scan (with no initial ping) against three ports, and Nmap classifies them into 3 different states. As posters to this thread have explained, you sometimes want to know exactly _why_ Nmap has classified them as it has. To answer this question, simply add --packet_trace to the command above: # nmap -P0 --packet_trace -p80,99,113 scanme.nmap.org Starting nmap 3.84ALPHA1 ( http://www.insecure.org/nmap/ ) at 2005-08-12 15:19 PDT SENT (0.0120s) TCP 69.232.198.12:54012 > 205.217.153.62:113 S ttl=41 id=51165 iplen=40 seq=2511044273 win=2048 SENT (0.0120s) TCP 69.232.198.12:54012 > 205.217.153.62:80 S ttl=48 id=31631 iplen=40 seq=2511044273 win=1024 SENT (0.0160s) TCP 69.232.198.12:54012 > 205.217.153.62:99 S ttl=45 id=62221 iplen=40 seq=2511044273 win=2048 RCVD (0.0250s) TCP 205.217.153.62:113 > 69.232.198.12:54012 RA ttl=245 id=0 iplen=40 seq=0 win=0 ack=2511044274 RCVD (0.0260s) TCP 205.217.153.62:80 > 69.232.198.12:54012 SA ttl=54 id=0 iplen=44 seq=536353456 win=5840 ack=2511044274 SENT (1.1190s) TCP 69.232.198.12:54013 > 205.217.153.62:99 S ttl=48 id=24051 iplen=40 seq=2510978736 win=1024 Interesting ports on scanme.nmap.org (205.217.153.62): PORT STATE SERVICE 80/tcp open http 99/tcp filtered metagram 113/tcp closed auth Nmap finished: 1 IP address (1 host up) scanned in 1.232 seconds As you can see above, Nmap starts by sending a SYN probe back to each of the three ports. Port 113 replies with the RA (RST/ACK) flags and thus is listed by Nmap as closed. Port 80 returns SA (SYN/ACK) and so is listed as open. Port 99 does not reply, so Nmap retransmits after 1.1 seconds. There is still no reply, so Nmap lists the port as filtered. I hope this helps. 3.84ALPHA1 has not been formally released, but it offers many improvements from 3.81 and you can snag a copy from http://seclists.org/lists/nmap-dev/2005/Jul-Sep/0041.html . You don't ned this for --packet_trace though, as it has been around (and steadily improving) since 2002. Cheers, Fyodor ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Re: Nmap/netwag problem., (continued)
- Re: Nmap/netwag problem. Pete Herzog (Aug 12)
- RE: Nmap/netwag problem. Omar Herrera (Aug 11)
- Re: Nmap/netwag problem. Martin Mačok (Aug 11)
- Re: Nmap/netwag problem. Josh Zlatin-Amishav (Aug 10)
- RE: Nmap/netwag problem. Drage, Nick (Aug 10)
- Re: Nmap/netwag problem. eliudgarcia (Aug 10)
- RE: Nmap/netwag problem. Irene Abezgauz (Aug 11)
- RE: Nmap/netwag problem. laurent . constantin (Aug 11)
- RE: Nmap/netwag problem. Paul J Docherty (Aug 11)
- Re: Nmap/netwag problem. Kaj Huisman (Aug 12)
- Re: Nmap/netwag problem. Fyodor (Aug 12)
- RE: Nmap/netwag problem. ankush.kapoor (Aug 12)
- Re: Nmap/netwag problem. ilaiy (Aug 12)
- RE: Nmap/netwag problem. Paul J Docherty (Aug 15)
- Re: Nmap/netwag problem. Kaj Huisman (Aug 15)