Nmap Announce mailing list archives

Previous By Date Next
Previous By Thread Next

unfiltered

From: Max Vision <vision () whitehats com>
Date: Mon, 5 Apr 1999 13:06:23 -0700 (PDT)
Hello,

I was wondering about the "filtered/unfiltered" status returned by nmap. 
In my limited testing, I see a RST+ACK on unfiltered ports that is not
shown on filtered ports (www.example.com here is a Solaris Checkpoint
FW-1).  This is then an actual "unfiltered" port, ie, there is no daemon
listening but if there was the firewall wouldn't have stopped it.  However
nmap doesn't report it.  Since I've seen nmap report on this status before
in other situations, are there different types of "unfiltered" or
different firewall responses that mean the same thing?  Does anyone on the
list have a summary or collaborating data?

I rather like the idea of being able to determine firewall holes without
running Ballista/CAPE or firewalk (let alone having a daemon answer on
the other side). 

note:
29 - not listening, filtered by FW-1
53 - not listening, not filtered
80 - listening, filtered
hostnames changed, sorry for the long lines munge...

[audit ~]# nmap -P0 -sS -p 29,53,80 www.example.com

Starting nmap V. 2.12 by Fyodor (fyodor () dhp com, www.insecure.org/nmap/)
12:36:28.184222 audit.example.com.37819 > www.example.com.http: S
539815172:539815172(0) win 2048
12:36:28.184222 audit.example.com.37819 > www.example.com.domain: S
539815172:539815172(0) win 2048
12:36:28.184222 audit.example.com.37819 > www.example.com.msg-icp: S
539815172:539815172(0) win 2048
12:36:28.204222 www.example.com.http > audit.example.com.37819: S
4224401559:4224401559(0) ack 539815173 win 9112 <mss 536> (DF)
12:36:28.204222 audit.example.com.37819 > www.example.com.http: R
539815173:539815173(0) win 0
12:36:28.204222 www.example.com.domain > audit.example.com.37819: R 0:0(0)
ack 539815173 win 0 (DF)
12:36:28.304222 audit.example.com.37820 > www.example.com.msg-icp: S
3896630591:3896630591(0) win 2048
12:36:28.404222 audit.example.com.37821 > www.example.com.msg-icp: S
592811632:592811632(0) win 2048
12:36:28.514222 audit.example.com.37822 > www.example.com.msg-icp: S
539815172:539815172(0) win 2048
12:36:28.604222 audit.example.com.37823 > www.example.com.msg-icp: S
3896630591:3896630591(0) win 2048
12:36:28.704222 audit.example.com.37824 > www.example.com.msg-icp: S
592811632:592811632(0) win 2048
Interesting ports on www.example.com (23.23.23.23):
Port    State       Protocol  Service
29      filtered    tcp        msg-icp         
80      open        tcp        http            

Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

feedback appreciated :)
Max
Previous By Date Next
Previous By Thread Next

Current thread: