Nmap Announce mailing list archives
More on ACK and Window scanning
From: Fyodor <fyodor () insecure org>
Date: Sun, 26 Mar 2000 15:42:31 -0800 (PST)
For what it is worth, here is a little more information on the ACK and Window scanning available in the new version of Nmap (technically Window scan has been there since September when Lamont posted the patch to the list). These scan types can actually be pretty useful for testing firewall configurations. Here are more details (from the newest man page): -sA ACK scan: This advanced method is usually used to map out firewall rulesets. In particular, it can help determine whether a firewall is stateful or just a simple packet filter that blocks incoming SYN packets. This scan type sends an ACK packet (with random looking acknowledgement/sequence numbers) to the ports specified. If a RST comes back, the ports is classified as "unfiltered". If nothing comes back (or if an ICMP unreachable is returned), the port is classified as "filtered". Note that nmap usu- ally doesn't print "unfiltered" ports, so getting no ports shown in the output is usually a sign that all the probes got through (and returned RSTs). This scan will obviously never show ports in the "open" state. -sW Window scan: This advanced scan is very similar to the ACK scan, except that it can sometimes detect open ports as well as filtered/nonfiltered due to an anomaly in the TCP window size reporting by some operating systems. Systems vulnerable to this include at least some versions of AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, and VxWorks. See the nmap-hackers mailing list archive for a full list. Cheers, Fyodor
Current thread:
- More on ACK and Window scanning Fyodor (Mar 26)