TCP questions

["Donald McLachlan" <don_mclachlan () hotmail com>]

Hello,

This is not really an nmap question, but I did use nmap to gather the
basic research provided below, and I feel experienced nmap users
may be able to answer the 2 questions below.

I'm doing some research with the aim of developing a new security
tool.  My desire (for now) is to elicit a TCP packet from end systems.
Any old TCP packet from the end system is fine, and in fact if it
returns the same packet whether the port is open or closed, that
might be more palatable to some security minded folks.  Therefore I'm
looking at using either an ACK or FIN+ACK or SYN+ACK, or SYN+FIN+ACK
packet; all of which are supposed to elicit an RST packet.

My naive feeling is that from the Internet packets to open ports
have the best chance of reaching end systems. So I did some testing
on a network and I found the top 10 open ports (10 ignoring the
small services) were:

 512, 513, 13, 21, 23, 111, 19, 7, 9, 135, 514, 515, 139

Further research revealed that I could reach all the hosts on that
net by looking at just these ports

139, 111, 514, 515

Now my questions: (in your experience ...)

- From the Internet, packets with which TCP flag combinations are
 most likely to reach  end systems?
- From the Internet, packets to/from which TCP ports are most
 likely to reach end systems?

Thanks,
Don

P.S. Yes, I suppose I could use nmap to find the answers to these
    questions myself, but that is not the sort of activity I want
    to be doing, and I'm sure someone has already done it and knows
    the answers.

P.P.S. (for later) Which udp ports are most reachable from the
      Internet?

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com