Nmap Announce mailing list archives
Re: Nmap bug or am I missing something.
From: Lamont Granquist <lamontg () raven genome washington edu>
Date: Fri, 12 Mar 1999 11:26:10 -0800
On Wed, 10 Mar 1999, Frank W. Keeney wrote:
Unfortunately nmap "incorrectly" reports all the scanned ports open.
[...]
nmap -sF -f -n -P0 -vv -p 20-25,250-270,5900 x.x.x.x
The problem with FIN scans is that nmap has no way to differentiate between a packet to a closed port which was dropped due to a packet filter or something like that and a packet to an open port which was dropped as per a normal FIN scan. The basic way a FIN scan works is: 1. Send FIN 2a. Receieve RST - port closed 2b. Dropped packet - port open If a packet gets dropped due to a packet filter then it gets reported as being open.
x.x.x.x.5900 > (nmap host).xxxx ack (abbreviated) x.x.x.x.256 > (nmap host).xxxx ack x.x.x.x.257 > (nmap host).xxxx ack x.x.x.x.258 > (nmap host).xxxx ack x.x.x.x.259 > (nmap host).xxxx ack On the firewall ports 256-259 and 5900 are open. The response in tcpdump is 100%!
I don't know, but it looks like your firewall is one of the ones that isn't fin-scannable (broken according to the RFC) and reports a RST|ACK in response to to a FIN on an open port and then all your closed ports are firewalled so you don't see the responses for closed ports, or something... Try turning off the services on one of 5900,256-259 and see if you still get a RST|ACK to the closed port. -- Lamont Granquist lamontg () raven genome washington edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
Current thread:
- Nmap bug or am I missing something. Frank W. Keeney (Mar 11)
- Re: Nmap bug or am I missing something. Lamont Granquist (Mar 13)
- Re: Nmap bug or am I missing something. Olaf Selke (Mar 14)
- Small Comparison: Nmap, Queso OS Detection Hans Zoebelein (Mar 15)