Bugtraq mailing list archives
ACK/th_win portscanning
From: lamontg () RAVEN GENOME WASHINGTON EDU (Lamont Granquist)
Date: Wed, 15 Sep 1999 11:18:56 -0700
I just posted a patch to nmap to the nmap-hackers list which impliments
yet another "stealth" scan. This one sends out packets with only the ACK
bit set and looks for responses that either have th_win set to some value
(0x1000, 0x2000, 0x4000 typically) or th_win is clear. Fyodor went
through the nmap-os-fingerprints file and found that it was easy to use
that database to find systems which are vulnerable to these kinds of
scans.
Vulnerable systems of note include:
Digital Unix 4.0X
FreeBSD <=4.0
OpenBSD <=2.5.
AIX <=4.3.2 (is this current?)
Notable systems which are /NOT/ vulnerable include:
Solaris (all?)
IRIX 6.x
HP-UX 11.0
Linux (all?)
Probably the only "stealth" benefit of this kind of scan would be that it
should get through ipfwadm firewalls that use the ACK bit to determine
weither or not packets get through (ipfwadm's -k flag), e.g:
# allow incoming packets to other high numbered ports from anywhere, but
# only for packets with the ACK bit set (i.e. outgoing connections)
/sbin/ipfwadm -I -k -a accept -P tcp -S any/0 -D $MYNET 1024:65535
But it should be blocked by ipf's "keep state":
pass out quick proto tcp from <MYNET> to any keep state
It would be interesting to test this in conjunction with frag scanning
against various firewalls. It might also be interesting to test this with
out-of-order frag scanning (which nmap doesn't do, due to limitations in
SOCK_RAW) against various firewalls (particularly ones that advertise
"keep state" functions). Of course, you'll need a vulnerable test system
behind the firewall to scan against.
Fydoor's post with all the vulnerable systems follows. Attatched is the
patch to NMAP 2.3 BETA 3 (applies cleanly to BETA 5 as well).
On Wed, 15 Sep 1999, Fyodor wrote:
On Mon, 13 Sep 1999, Lamont Granquist wrote:Yeah, don't know how useful it is, since the only current version of an OS that it seems to be effective against is Digital Unix. With only the ACK bit set it might be able to get through some firewall rules, though.I think it works against the latest FreeBSD as well. Perhaps I should apply your patch and leave it as another undocumented scan type in the next version of Nmap. Interestingly, the nmap-os-fingerprints database that comes with Nmap can often enumerate the operating systems with interesting characteristics like this. For example, here is an easy way to get a list of OS versions that should be vulnerable to your window scan: amy~/nmap>cat nmap-os-fingerprints | perl -ne 'while(<>) { chomp;if (/^fingerprint\s+([^\#]+)/i) { if (defined($owin) and defined($cwin) and $owin ne $cwin) { print "$oname ($owin vs. $cwin)\n";} $oname=$1;undef($cwin);undef($owin);} elsif (/^T(4|6)\(.*W=([^%]+)/) { if ($1 eq 4){$owin=$2;} else { $cwin = $2; }}}' | sort -f A/UX 3.1.1 SVR2 (1000 vs. 0) ACC Amazon 9.2.29 or Congo 9.2.35 WAN concentrator (1000 vs. 0) Acorn Risc OS 3.6 (Acorn TCP/IP Stack 4.07) (3000 vs. 0) Acorn RiscOS 3.7 using AcornNet TCP/IP stack (4000 vs. 0) AGE Logic, Inc. IBM XStation (2000 vs. 0) AIX 3.2 (4000 vs. 0) AIX 4.0 - 4.1 (8000|4000 vs. 0) AIX 4.02.0001.0000 (4000 vs. 0) AIX 4.1 (4000 vs. 0) AIX 4.2 (4000 vs. 0) AIX 4.2 (4000 vs. 0) AIX 4.3.2 (4000 vs. 0) AIX v4.1 running on a C10 (4000 vs. 0) Alcatel 1000 DSL Router / unknown OS Rev. (2000 vs. 0) AmigaOS AmiTCP/IP 4.3 (2000 vs. 0) AmigaOS AmiTCP/IP Genesis 4.6 (8000 vs. 0) AmigaOS Miami 2.1-3.0 (4000 vs. 0) AmigaOS Miami 3.0 (4000 vs. 0) AmigaOS Miami 3.1-3.2 (4000 vs. 0) AmigaOS Miami Deluxe 0.9 - Miami 3.2B (4000 vs. 0) AOS/VS or VSII (1000 vs. 0) Apollo Domain/OS SR10.4 (239C vs. 800) Auspex Fileserver (AuspexOS 1.9.1/SunOS 4.1.4) (4000 vs. 0) AXIS NetEye Camera Server V1.20 (100|0 vs. 0) AXIS or Meridian Data Network CD-ROM server (200 vs. 0) AXIS Stack -- CD-ROM Server or Printer Server or Camera Server (100|0 vs. 0) BeOS 4 - 4.5 (3000 vs. 0) BSDI BSD/OS 2.0 - 2.1 (2000|0 vs. 0) CacheOS (CacheFlow 2000 proxy cache) (2000 vs. 0) Canon photocopier/fax/scanner/printer GP30F (C00 vs. 0) Cisco CacheEngine (2000 vs. 0) Compaq Tru64 UNIX (formerly Digital UNIX) 4.0e (8000 vs. 0) Convex OS Release 10.1 (7C00 vs. 0) Cray Unicos 9.0 - 10.0 or Unicos/mk 1.5.1 (FFFF vs. 0) Cray UNICOS 9.0.1ai - 10.0.0.2 (8000 vs. 0) DEC OSF/1 V1.3A (8000 vs. 0) DECNIS 600 V4.1.3B System (8000 vs. 0) DECserver700-16, Network Access SW V2.2 (600 vs. 0) DG/UX Release R4.11MU02 (2238 vs. 0) Digital OpenVMS AXP 6.2 running Attachmate Pathway 3.1 TCP stack (2000 vs. 0) Digital Unix 4.0E (7000|8000 vs. 0) Digital UNIX OSF1 V 3.0,3.2,3.2C (8000 vs. 0) Digital UNIX OSF1 V 4.0,4.0B,4.0D (8000 vs. 0) Extreme Gigabit switch (unknown version) (1000 vs. 0) FreeBSD 2.1.0 - 2.1.5 (4000 vs. 0) FreeBSD 2.2.1 - 3.2 (4000|0 vs. 0) FreeBSD 2.2.1 - 4.0 (4000|0 vs. 0) HP Entria X station (running Netstation 7.x) (2000 vs. 0) HP-BSD 2.0 (2000 vs. 0) HP-UX 9.01 - 9.07 (2000 vs. 0) HP-UX A.09.00 E 9000/817 - A.09.07 A 9000/777 (2000 vs. 0) HP-UX B.10.01 A 9000/715 (8000 vs. 0) HP-UX B.10.20 A 9000/715 or 9000/712 or 9000/871 or 9000/861 with tcp_random_seq = 0 (8000 vs. 0) HP-UX B.10.20 A 9000/715 or 9000/712 or 9000/871 with tcp_random_seq = 1 (8000 vs. 0) IBM LAN RouteSwitch/Xylan OmniSwitch Version 3.2.5/NeXT (1000 vs. 0) IBM OS/2 V 2.1 (7000 vs. 0) IBM OS/2 V.3 (7000 vs. 0) IBM OS/2 Warp 4.0 (7000 vs. 0) IBM OS/2 Warp Server for E-business (Aurora) Beta (8000 vs. 0) IBM OS/2 Warp Server for E-business (Aurora) Beta (8000 vs. 0) Intel NetportExpress(tm) 10/100 3-port ROM: V05.10a (16D0 vs. 0) IRIX 5.2 (F000 vs. 0) IRIX 5.3 (EF2A|F000 vs. 0) Juniper Router running JUNOS (4000 vs. 0) LynxOS Realtime OS -- Could be MeetingPlace 3.4, Xylogics Remote Annex 4000 terminal server (1000 vs. 0) Mac OS X (Rhapsody 5.5) on a G3 (8000 vs. 0) Meridian Data Network CD-ROM Server (V4.20 Nov 26 1997) (200 vs. 0) Mirapoint M1000 (OS v 1.0.0) (4000 vs. 0) NCD X server (SNMP says: NCD16 server 2.3.0 03/12/91 downloaded) (800 vs. 0) Neoware (was HDS) NetOS V. 2.0.1 or HP ENTRIA C3230A (2000 vs. 0) NetApp OnTap 3.1.6 (1000 vs. 0) NetApp OnTap 5.1.2 - 5.2.2 (2000 vs. 0) NetBSD 1.0 big endian arch (4000 vs. 0) NetBSD 1.0 little endian arch (4000 vs. 0) NetBSD 1.1 - 1.2.1 litle endian arch (4000 vs. 0) NetBSD 1.2 - 1.2.1 big endian arch (4000 vs. 0) Network Systems router NS6614 (NSC 6600 series) (1000 vs. 0) NeXT Mach (1000 vs. 0) OpenBSD 2.1 - 2.3/SPARC (4000 vs. 0) OpenBSD 2.1/X86 (4000 vs. 0) OpenBSD 2.2 - 2.3 (4000 vs. 0) OpenBSD Post 2.4 (November 1998) - 2.5 (4000 vs. 0) OpenStep 4.0 or NextStep 1.0 (Intel) (1000 vs. 0) OpenStep 4.1/NeXTStep 3.3 (1000 vs. 0) OpenStep 4.2/Intel (1000 vs. 0) OpenVMS 6.1 (1000 vs. 0) OpenVMS 6.2 (1800 vs. 0) OpenVMS 7.1 Alpha running Digital's UCX v4.1ECO2 TCP/IP package (BB8 vs. 0) OpenVMS Alpha 6.2 running DIGITAL TCP/IP Services (UCX) v4.0 (BB8 vs. 0) OpenVMS Alpha V7.1-1H2 running DIGITAL TCP/IP Services (UCX) V4.2 (1000 vs. 0) OpenVMS V6.1 on Digital VAX 4000-105A (1800 vs. 0) OSF/1 5.60 (8000 vs. 0) Packeteer IP-PacketShaper 2000 V3.1 (1000 vs. 0) QNX 4.24 (2000 vs. 0) Redback SMS1000 Router (2000 vs. 0) Rhapsody 5.3 - 5.4 (Mac OS X Server 1.0 - 1.0-1) (2000 vs. 0) Router/Switch (LanPlex 2500/Cisco Catalyst 5505/Trancell Webramp/Xylan Omni Switch) (1000 vs. 0) SEQUENT DYNIX/ptx(R) V4.2.1 (1000 vs. 0) Shiva LanRover/8E Version 3.5 (1000 vs. 0) Snap Network Box (4470 vs. 0) SPP-UX 5.2.1 (8000 vs. <1001) SPP-UX 5.x on a Convex SPP-1600 (8000 vs. C00) Stock OpenVMS 7.1 (2200 vs. 0) SunOS 4.0.3 (1000 vs. 0) SunOS 4.1.1 - 4.1.4 (or derivative) (1000|2000|6000|C000 vs. 0) SunOS 4.1.3_U1 + ISI RFC1323 mods from ISI (1000 vs. 0) Ultrix 4.1 (4000 vs. 0) Ultrix 4.2 - 4.5 (4000 vs. 0) Unicos 10.0.0 on Cray 90 (8000 vs. 0) VAX 7000-610 or 4200/SPX OR 6000-430 (1800 vs. 0) VAX/VMS 5.3 on a MicroVAX II (1000 vs. 0) VNS V6.2 (2200 vs. 0) VxWorks 5.3.x bases system (usually an ethernet hub or switch) (1000 vs. 0) webcache CacheFlow 5000 with latest OS (2000 vs. 0) Xylan OmniSwitch 5x/9x ethernet switch, Annex3 Comm server R10.0, or Hitach HI-UX/WE2 (1000 vs. 0) Cheers, Fyodor -- Fyodor 'finger pgp () pgp insecure org | pgp -fka' "I might be able to shoehorn a reference count in on top of the numeric value by disallowing multiple references on scalars with a numeric value, but but it wouldn't be as clean. I do occasionally worry about that." -Larry Wall
--
Lamont Granquist lamontg () genome washington edu
Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
--- global_structures.h~ Fri Sep 10 18:58:50 1999
+++ global_structures.h Fri Sep 10 19:09:43 1999
@@ -169,6 +169,7 @@
int xmasscan;
int fragscan;
int synscan;
+ int ackscan;
int maimonscan;
int finscan;
int udpscan;
@@ -180,7 +181,7 @@
};
typedef port *portlist;
-typedef enum { SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, RPC_SCAN, MAIMON_SCAN } stype;
+typedef enum { SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, ACK_SCAN, RPC_SCAN, MAIMON_SCAN }
stype;
#endif /*GLOBAL_STRUCTURES_H */
--- nmap.c~ Fri Sep 10 18:47:27 1999
+++ nmap.c Fri Sep 10 19:09:44 1999
@@ -253,6 +253,7 @@
case 'P': o.pingscan = 1; break;
case 'R': o.rpcscan = 1; break;
case 'S': o.synscan = 1; break;
+ case 'A': o.ackscan = 1; break;
case 'T': o.connectscan = 1; break;
case 'U':
fprintf(o.nmap_stdout, "WARNING: -sU is now UDP scan -- for TCP FIN scan use -sF\n");
@@ -283,7 +284,7 @@
/* Now we check the option sanity */
/* Insure that at least one scantype is selected */
-if (!o.connectscan && !o.udpscan && !o.synscan && !o.finscan && !o.maimonscan && !o.nullscan && !o.xmasscan &&
!o.bouncescan && !o.pingscan) {
+if (!o.connectscan && !o.udpscan && !o.synscan && !o.ackscan && !o.finscan && !o.maimonscan && !o.nullscan &&
!o.xmasscan && !o.bouncescan && !o.pingscan) {
o.connectscan++;
if (o.verbose) error("No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you
really don't want to portscan (and just want to see what hosts are up).");
}
@@ -299,7 +300,7 @@
if (fastscan && ports) {
fatal("You can specify fast scan (-F) or explicitly select individual ports (-p), but not both");
} else if (fastscan) {
- ports =
getfastports(o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan,o.udpscan);
+ ports =
getfastports(o.ackscan|o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan,o.udpscan);
}
if (o.pingscan && ports) {
@@ -311,7 +312,7 @@
}
if (!ports) {
- ports = getdefaultports(o.synscan|o.connectscan|o.fragscan|o.finscan|
+ ports = getdefaultports(o.ackscan|o.synscan|o.connectscan|o.fragscan|o.finscan|
o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan,
o.udpscan);
}
@@ -320,7 +321,7 @@
if (!o.tcp_probe_port) o.tcp_probe_port = 80;
-if (o.pingscan && (o.connectscan || o.udpscan || o.synscan || o.finscan || o.maimonscan || o.nullscan || o.xmasscan
|| o.bouncescan)) {
+if (o.pingscan && (o.connectscan || o.udpscan || o.ackscan || o.synscan || o.finscan || o.maimonscan || o.nullscan ||
o.xmasscan || o.bouncescan)) {
fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan");
}
@@ -332,7 +333,7 @@
o.pingtype = PINGTYPE_TCP;
}
- if (o.finscan || o.synscan || o.maimonscan || o.nullscan || o.xmasscan
+ if (o.finscan || o.ackscan || o.synscan || o.maimonscan || o.nullscan || o.xmasscan
|| o.udpscan ) {
fatal("You requested a scan type which requires r00t privileges, and you do not have them.\n");
}
@@ -353,8 +354,8 @@
if (o.bouncescan && o.pingtype != PINGTYPE_NONE)
fprintf(o.nmap_stdout, "Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we
don't try and ping them prior to the scan\n");
-if (o.connectscan + o.synscan + o.finscan + o.maimonscan + o.xmasscan + o.nullscan > 1) {
- fatal("You specified more than one type of TCP scan. Please choose only one of -sT, -sS, -sF, -sM, -sX, and -sN");
+if (o.connectscan + o.ackscan + o.synscan + o.finscan + o.maimonscan + o.xmasscan + o.nullscan > 1) {
+ fatal("You specified more than one type of TCP scan. Please choose only one of -sT, -sS, -sF, -sM, -sX, -sA, and
-sN");
}
if (o.numdecoys > 0 && (o.bouncescan || o.connectscan)) {
@@ -362,9 +363,9 @@
}
if (o.fragscan && (o.connectscan ||
- (o.udpscan && (o.synscan + o.finscan + o.maimonscan +
+ (o.udpscan && (o.ackscan + o.synscan + o.finscan + o.maimonscan +
o.xmasscan + o.nullscan == 0))))
- fatal("Fragmentation scan can only be used with SYN, FIN, Maimon, XMAS, or NULL scan types");
+ fatal("Fragmentation scan can only be used with SYN, FIN, Maimon, XMAS, ACK, or NULL scan types");
if (o.identscan && !o.connectscan) {
error("Identscan only works with connect scan (-sT) ... ignoring option");
@@ -533,7 +534,7 @@
if (currenths->flags & HOST_UP /* && !currenths->wierd_responses*/ &&
!o.pingscan) {
- if (currenths->flags & HOST_UP && !currenths->source_ip.s_addr && ( o.synscan || o.finscan || o.maimonscan ||
o.udpscan || o.nullscan || o.xmasscan)) {
+ if (currenths->flags & HOST_UP && !currenths->source_ip.s_addr && ( o.ackscan || o.synscan || o.finscan ||
o.maimonscan || o.udpscan || o.nullscan || o.xmasscan)) {
if (gethostname(myname, MAXHOSTNAMELEN) ||
!(target = gethostbyname(myname)))
fatal("Cannot get hostname! Try using -S <my_IP_address> or -e <interface to scan through>\n");
@@ -545,7 +546,7 @@
}
/* Figure out what link-layer device (interface) to use (ie eth0, ppp0, etc) */
- if (!*currenths->device && currenths->flags & HOST_UP && (o.nullscan || o.xmasscan || o.udpscan || o.finscan ||
o.maimonscan || o.synscan || o.osscan) && (ipaddr2devname( currenths->device, ¤ths->source_ip) != 0))
+ if (!*currenths->device && currenths->flags & HOST_UP && (o.nullscan || o.xmasscan || o.udpscan || o.finscan ||
o.maimonscan || o.synscan || o.osscan || o.ackscan) && (ipaddr2devname( currenths->device, ¤ths->source_ip) !=
0))
fatal("Could not figure out what device to send the packet out on! You might possibly want to try -S (but this
is probably a bigger problem). If you are trying to sp00f the source of a SYN/FIN scan with -S <fakeip>, then you must
use -e eth0 (or other devicename) to tell us what interface to use.\n");
/* Set up the decoy */
o.decoys[o.decoyturn] = currenths->source_ip;
@@ -554,6 +555,7 @@
if (o.synscan) pos_scan(currenths, ports, SYN_SCAN);
+ if (o.ackscan) pos_scan(currenths, ports, ACK_SCAN);
if (o.connectscan) pos_scan(currenths, ports, CONNECT_SCAN);
if (o.finscan) super_scan(currenths, ports, FIN_SCAN);
@@ -1993,7 +1995,7 @@
FD_ZERO(&csi.fds_write);
FD_ZERO(&csi.fds_except);
- if (scantype == SYN_SCAN || scantype == RPC_SCAN)
+ if (scantype == SYN_SCAN || scantype == RPC_SCAN || scantype == ACK_SCAN)
ss.max_width = 150;
else ss.max_width = o.max_sockets;
@@ -2025,7 +2027,7 @@
}
/* Init our raw socket */
- if (scantype == SYN_SCAN) {
+ if ((scantype == SYN_SCAN) || (scantype == ACK_SCAN)) {
if ((rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
pfatal("socket troubles in super_scan");
/* We do not wan't to unblock the socket since we want to wait
@@ -2075,7 +2077,10 @@
fatal("Error compiling our pcap filter: %s\n", pcap_geterr(pd));
if (pcap_setfilter(pd, &fcode) < 0 )
fatal("Failed to set the pcap filter: %s\n", pcap_geterr(pd));
- scanflags = TH_SYN;
+ if (scantype == SYN_SCAN)
+ scanflags = TH_SYN;
+ else
+ scanflags = TH_ACK;
} else if (scantype == CONNECT_SCAN) {
rawsd = -1;
/* Init our sock */
@@ -2107,7 +2112,9 @@
fprintf(o.nmap_stdout, "Initiating SYN half-open stealth scan against %s (%s)\n", target->name,
inet_ntoa(target->host));
else if (scantype == CONNECT_SCAN)
fprintf(o.nmap_stdout, "Initiating TCP connect() scan against %s (%s)\n",target->name, inet_ntoa(target->host));
- else {
+ else if (scantype == ACK_SCAN)
+ fprintf(o.nmap_stdout, "Initiating ACK scan against %s (%s)\n",target->name, inet_ntoa(target->host));
+ else {
fprintf(o.nmap_stdout, "Initiating RPC scan against %s (%s)\n",target->name, inet_ntoa(target->host));
}
}
@@ -2181,7 +2188,7 @@
scan[current->next].prev = current - scan;
}
}
- if (scantype == SYN_SCAN || scantype == RPC_SCAN)
+ if (scantype == SYN_SCAN || scantype == RPC_SCAN || scantype == ACK_SCAN)
ss.numqueries_outstanding--;
else {
/* close the appropriate sd for each try */
@@ -2202,7 +2209,7 @@
current->trynum++;
gettimeofday(¤t->sent[current->trynum], NULL);
now = current->sent[current->trynum];
- if (scantype == SYN_SCAN) {
+ if ((scantype == SYN_SCAN) || (scantype == ACK_SCAN)) {
for(decoy=0; decoy < o.numdecoys; decoy++) {
if (o.fragscan)
send_small_fragz(rawsd, &o.decoys[decoy], &target->host, sequences[current->trynum],o.magic_port +
tries * 3 + current->trynum, current->portno, scanflags);
@@ -2292,7 +2299,7 @@
/* if (!testinglist) testinglist = current; */
ss.numqueries_outstanding++;
gettimeofday(¤t->sent[0], NULL);
- if (scantype == SYN_SCAN) {
+ if ((scantype == SYN_SCAN) || (scantype == ACK_SCAN)) {
for(decoy=0; decoy < o.numdecoys; decoy++) {
if (o.fragscan)
send_small_fragz(rawsd, &o.decoys[decoy], &target->host, sequences[current->trynum], o.magic_port +
tries * 3, current->portno, scanflags);
@@ -2349,8 +2356,8 @@
/* Now that we have sent the packets we wait for responses */
ss.alreadydecreasedqueries = 0;
- if (scantype == SYN_SCAN)
- get_syn_results(target, scan, &ss, &pil, portlookup, pd, sequences);
+ if ((scantype == SYN_SCAN) || (scantype == ACK_SCAN))
+ get_syn_results(target, scan, &ss, &pil, portlookup, pd, sequences, scantype);
else if (scantype == RPC_SCAN) {
/* We only bother worrying about responses if we haven't reached
a conclusion yet */
@@ -2435,7 +2442,7 @@
}
if (o.verbose)
- fprintf(o.nmap_stdout, "The %s scan took %ld seconds to scan %d ports.\n", (scantype == SYN_SCAN)? "SYN" :
(scantype == CONNECT_SCAN)? "TCP connect" : "RPC", (long) time(NULL) - starttime, o.numports);
+ fprintf(o.nmap_stdout, "The %s scan took %ld seconds to scan %d ports.\n", (scantype == ACK_SCAN) ? "ACK" :
(scantype == SYN_SCAN)? "SYN" : (scantype == CONNECT_SCAN)? "TCP connect" : "RPC", (long) time(NULL) - starttime,
o.numports);
free(scan);
if (rawsd >= 0)
@@ -2857,7 +2864,7 @@
void get_syn_results(struct hoststruct *target, struct portinfo *scan,
struct scanstats *ss, struct portinfolist *pil,
- int *portlookup, pcap_t *pd, unsigned long *sequences) {
+ int *portlookup, pcap_t *pd, unsigned long *sequences, stype scantype) {
struct ip *ip;
int bytes;
@@ -2916,12 +2923,21 @@
error("Received SYN packet implying trynum %d from port %hi even though that port is only on trynum %d
(could be from an earlier round)", trynum, newport, current->trynum);
trynum = -1;
}
- if ((tcp->th_flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) {
- newstate = PORT_OPEN;
- }
- else if (tcp->th_flags & TH_RST) {
- newstate = PORT_CLOSED;
+ if (scantype == SYN_SCAN) {
+ if ((tcp->th_flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) {
+ newstate = PORT_OPEN;
+ }
+ else if (tcp->th_flags & TH_RST) {
+ newstate = PORT_CLOSED;
}
+ }
+ if (scantype == ACK_SCAN) {
+ if (tcp->th_win) {
+ newstate = PORT_OPEN;
+ } else {
+ newstate = PORT_CLOSED;
+ }
+ }
} else if (ip->ip_p == IPPROTO_ICMP) {
icmp = (struct icmp *) ((char *)ip + sizeof(struct ip));
ip2 = (struct ip *) (((char *) ip) + 4 * ip->ip_hl + 8);
@@ -2990,8 +3006,8 @@
fatal("Deletion of port %d failed\n", ports[i]);
}
}
- if (o.connectscan || o.nullscan || o.xmasscan || o.synscan ||
- o.maimonscan || o.finscan || o.bouncescan) {
+ if (o.connectscan || o.nullscan || o.xmasscan || o.synscan ||
+ o.ackscan || o.maimonscan || o.finscan || o.bouncescan) {
current = lookupport(*pl, ports[i], IPPROTO_TCP);
if (!current)
addport(pl, ports[i], IPPROTO_TCP, NULL, PORT_UNFIREWALLED);
--- nmap.h~ Fri Sep 10 19:02:15 1999
+++ nmap.h Fri Sep 10 19:09:45 1999
@@ -258,7 +258,7 @@
struct portinfolist *pil, struct connectsockinfo *csi);
void get_syn_results(struct hoststruct *target, struct portinfo *scan,
struct scanstats *ss, struct portinfolist *pil,
- int *portlookup, pcap_t *pd, unsigned long *sequences);
+ int *portlookup, pcap_t *pd, unsigned long *sequences, stype scantype);
int get_connect_results(struct hoststruct *target, struct portinfo *scan,
struct scanstats *ss, struct portinfolist *pil,
int *portlookup, unsigned long *sequences,
Current thread:
- ACK/th_win portscanning Lamont Granquist (Sep 15)
- cc:mail trivial DoS attack - self mailbombing. Alan Brown (Sep 15)
- Re: ACK/th_win portscanning Johannes Erdfelt (Sep 15)
- [security-officer () FreeBSD ORG: FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd REISSUED] Patrick Oonk (Sep 15)
- [security-officer () FreeBSD ORG: FreeBSD Security Advisory: FreeBSD-SA-99:04.core] Patrick Oonk (Sep 15)
- [security-officer () FreeBSD ORG: FreeBSD Security Advisory: FreeBSD-SA-99:05.fts] Patrick Oonk (Sep 15)
- SuSE Security Announcement - ProFTPD Marc Heuse (Sep 16)
- SuSE Security Announcement - lynx Marc Heuse (Sep 16)