Nmap Development mailing list archives

RE: SF, SFP scans?

From: joe.pepin () guardent com
Date: Wed, 30 Oct 2002 14:11:52 -0500

Thanks!

While the -sF works better against Linux, -sS works better (quicker) against
Windows (and therefor probably BSD as well ;)

Windows will happily send a SYNACK to an 0xEB.

/joe
.

 -----Original Message-----
 From: Fyodor [mailto:fyodor () insecure org]
 Sent: Wednesday, October 30, 2002 1:16 PM
 To: Joe Pepin
 Cc: nmap-dev () insecure org
 Subject: Re: SF, SFP scans?

 On Wed, Oct 30, 2002 at 12:27:11PM -0500, 
 joe.pepin () guardent com wrote:

 > I would like to modify nmap such that I can do a modified 
 SYN scan where I
 > have the FIN or PUSH (or even URG, RST, X and Y) bits set. 
  Stacks all over
 > the place are accepting packets like SFPUXY to start 
 sessions, and I want to
 > see if any firewalls which pretend to be stateful will 
 allow these through.
 > 
 > I was able to kind-of do this the cheap, cheap, dirty way 
 by modifying
 > netinet/tcp.h, but that's obviously ugly for lots of reasons and I
 > was

 Dear lord, that is ugly :).  But I agree that specifying arbitrary
 flag values can be useful.  It may not be documented, but recent
 versions of Nmap have a 'scanflags' options for doing this.  For
 example, you can do a SYN|FIN scan as follows:

 felix/home/fyodor#nmap -sS --scanflags SINFIN -p20-25 db

 Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
 Interesting ports on db.yuma.net (192.168.0.4):
 (The 5 ports scanned but not shown below are in state: closed)
 Port       State       Service
 22/tcp     filtered    ssh                     

 Nmap run completed -- 1 IP address (1 host up) scanned in 
 2.288 seconds

 Only the "normal" flag names are supported, but you can provide a
 numerical argument to get at "X" and "Y".

 The way Linux reacts to SYN|FIN packets, it is really more of a FIN
 scan.  So better results come from treating it that way:

 felix/home/fyodor#nmap -sF --scanflags SINFIN -p20-25 db

 Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
 Interesting ports on db.yuma.net (192.168.0.4):
 (The 5 ports scanned but not shown below are in state: closed)
 Port       State       Service
 22/tcp     open        ssh                     

 Nmap run completed -- 1 IP address (1 host up) scanned in 
 1.594 seconds

 Cheers,
 Fyodor


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

SF, SFP scans? joe . pepin (Oct 30)
- Re: SF, SFP scans? Fyodor (Oct 30)
  - Re: SF, SFP scans? Fyodor (Oct 30)
- <Possible follow-ups>
- RE: SF, SFP scans? joe . pepin (Oct 30)