Wrong syn scan results because of MSS

[Juergen Schmidt <ju () heisec de>]

Hello,

I just found a case that a nmap syn scan (-sS) reported wrong results
on an Assus router. While the connect scan (-sT) reported port 80 as open,
which was correct, -sS displayed all ports as filtered.

Digging deeper, I found, that the major difference between the two first
packets in the scan was that nmap did not set an MSS on the first SYN in
syn scan mode. And this packet was not answered by the router.

On the Assus router I really found a matching iptables rule:

Chain INPUT
DROP       tcp  --  anywhere     anywhere   tcp option=!2 flags:SYN/SYN

TCP option 2 is the MSS, so that was the cause of the wrong results.

So is there an option to set an MSS on syn packets generated by nmap -sS?
I did not find any.

The Assus router was in its default configuration.


bye, ju

PS: Please CC me on answers to this.

-- 
Juergen Schmidt       Chefredakteur  heise Security     www.heisec.de
Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju () heisec de
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev