Nmap Development mailing list archives
Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?
From: Adam Jacob Muller <adam () gotlinux us>
Date: Fri, 7 Jan 2005 06:07:14 -0500
That's a side affect of the fact that -sS is a syn half-open scanSo it basically can't tell the difference between a filtered and a closed port. I won't pretend to know more than that, since I'm sure someone on this list knows exactly why this happens the way it does and can fill you in if you want to know.. Suffice it to say, this is the expected behavior and conforms to TCP norms.
Adam On Jan 7, 2005, at 4:04 AM, Sébastien CONTRERAS wrote:
HiWhen scanning machine B (IP=192.168.254.10, no firewall on this machine and no application listening on port 136) with NMAP (NMAP on machine A), NMAP gives me two different output depending on the options (-sS or -sT).1/ When the command line is : nmap.exe -sS -p 135-136 -P0 192.168.254.10The output is : Port State Service 135/tcp open msrpc 136/tcp closed profile I made a dump of packet generated by NMAP with EtherealNo Source Destination Protocol Info 1 192.168.254.2 192.168.254.10 TCP 3501 > 135 [SYN] 2 192.168.254.10 192.168.254.2 TCP 135 > 3501 [SYN, ACK] 3 192.168.254.2 192.168.254.10 TCP 3501 > 135 [RST] 4 192.168.254.2 192.168.254.10 TCP 3501 > 136 [SYN] 5 192.168.254.10 192.168.254.2 TCP 136 > 3501 [RST, ACK]2/ When the command line is : nmap.exe -sT -p 135-136 -P0 192.168.254.10The output is : Port State Service 135/tcp open msrpc 136/tcp filtered profile I made a dump of packet generated by NMAP with Ethereal No Source Destination Protocol Info1 192.168.254.2 192.168.254.10 TCP 4101 > 136 [SYN] 2 192.168.254.10 192.168.254.2 TCP 136 > 4101 [RST, ACK] 3 192.168.254.2 192.168.254.10 TCP 4102 > 135 [SYN] 4 192.168.254.10 192.168.254.2 TCP 135 > 4102 [SYN, ACK] 5 192.168.254.2 192.168.254.10 TCP 4102 > 135 [ACK] 6 192.168.254.2 192.168.254.10 TCP 4102 > 135 [RST, ACK] 7 192.168.254.2 192.168.254.10 TCP 4103 > 136 [SYN] 8 192.168.254.10 192.168.254.2 TCP 136 > 4103 [RST, ACK]If we look at packets corresponding to port 136, the packet sequence is always (independently I use the -sS or -sT options) :A > B [SYN] B < A [RST, ACK] So my question is :Why NMAP say that port 136 is closed in case 1/, and filtered in case 2/ whereas the packet generated are the same ?Is this a bug ? or do I forget something ? Thanks for your responses.. SC !DSPAM:41de50c716461870385720!
--------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Sébastien CONTRERAS (Jan 07)
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Adam Jacob Muller (Jan 07)
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Martin Mačok (Jan 07)
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Sébastien CONTRERAS (Jan 07)
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Martin Mačok (Jan 07)
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Sébastien CONTRERAS (Jan 10)
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Sébastien CONTRERAS (Jan 07)
- <Possible follow-ups>
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Sébastien CONTRERAS (Jan 11)