Re: some nmap tools

[MadHat <madhat () unspecific com>]

On Dec 7, 2003, at 10:57 AM, Tristan Seligmann wrote:
> On Sun, Dec 07, 2003 at 15:06:37 -0000, testic+testic wrote:
> > If the remote port is 'open', ie a service is listening on that port, 
> > the
> > sender will recieve a SYN/ACK.
> > If the port is 'filtered' the sender will recieve an RST packet.
> > If the port is 'closed' nothing at all will be recieved.
>
> I may be wrong, but doesn't filtered mean an ICMP Reject was received?
> And sending SYN to a port with no service listening on it will result 
> in
> RST, not nothing. (of course nothing will be received if a firewall 
> just
> silently drops the packet).


My understanding is that on a SYN scan

ACK => Open
RST => Closed
ICMP or Nothing => filtered

If nothing is returned we assume that it is being dropped by a firewall 
somewhere and "ICMP port unreachable" message means it is being 
filtered.  I am not sure if there is logic for whether or not the RST 
packet comes from the same host or not.

> > In 'filtered' and 'closed' states the sender need send no more data 
> > at all.
> > Only in 'open' state does any further data need to be sent, in this 
> > state we
> > will be sending a further ACK and also we need to close the 
> > connection, Nmap
> > I believe will neatly close the connection using FIN. As far as I can 
> > tell
>
> I would think nmap would just send RST after receiving SYN|ACK.

The host itself should do it and not have to rely on nmap.  Once again, 
my understanding and may be incorrect.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org