Nmap Development mailing list archives

Idle Scanning behind stateful firewalls

From: "Glyn Geoghegan" <nmap () moiler com>
Date: Fri, 26 Mar 2004 20:22:53 +1000

Hi all,

I have a problem with nmap's Idle Scanning.
http://www.insecure.org/nmap/idlescan.html

The probes nmap sends to the Zombie are SYN/ACKs, which afaik is a flexible
decision as the IPIDs increment the same regardless of whether a SYN or
SYN/ACK is sent.

But, because nmap uses a SYN/ACK, its probes get dropped by any stateful
devices (coz they aren't part of an active connection), preventing their use
as zombies.

This prevents use of using a web server (e.g. 192.168.0.1) as a zombie to
port-scan the rest of its network (e.g. 192.168.0.0/28) behind the firewall.

I'm guessing it sends a SYN/ACK for performance reasons, as that will
solicit a RST rather than a SYN/ACK that must be RST by nmap.

Is there a way to change this?  Have I missed an option somewhere?  Or am I
talking gibberish?

Cheers,
Glyn Geoghegan.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

Idle Scanning behind stateful firewalls Glyn Geoghegan (Mar 26)
- <Possible follow-ups>
- Re: Idle Scanning behind stateful firewalls Paul Johnston (Mar 26)
  - RE: Idle Scanning behind stateful firewalls nmap (Mar 26)
- Re: Idle Scanning behind stateful firewalls uz - do not reply (Mar 26)
- Idle Scanning behind stateful firewalls nmap (Mar 26)
- Re: Idle Scanning behind stateful firewalls CBuH. (Mar 27)