Nmap Development mailing list archives
Re: Patch: Setting the flags for Idlescan
From: Kurt Grutzmacher <grutz () jingojango net>
Date: Thu, 16 Mar 2006 16:55:53 -0800
On Mar 16, 2006, at 4:17 PM, Fyodor wrote:
On Thu, Mar 16, 2006 at 03:51:31PM -0800, Kurt Grutzmacher wrote:Here's a minor option addition to set nmap's Idle scan (-sI) flags. Modified the --scanflags parser to add some common words (SYNACK, PUSHACK). I didthis while researching Marco Ivaldi's bugtraq post here: http://seclists.org/lists/bugtraq/2006/Mar/0258.html.I saw that post and it is definitely interesting. Would you try posting your patch again? Maybe you forgot to attach it, or maybe it was sent with a mime type that this list doesn't allow. Renaming it with a .txt extension often helps mailers figure out that it is text/* rather than application/*.
Gmail attachments! Bah humbug but I'll try from here instead renamed .txt
While your patch would be useful for people testing this and related issues, I'm not sure it is neede for the main Nmap distribution. In Marco's post, he notes that Nmap works unmodified since it already sends SYN/ACK. Before adding a new option to change that probe to use different flags, I'd like to see at least one case where it would help. And remember that the target machine will be sending back SYN/ACK packets no matter what our initial probe uses.
Certainly it is great for testing purposes and I'm not sure if there are a lot of uses outside as most machines I've tried to use Idlescan for have worked with just SYN/ACK. I am curious how many others are out there that may work as well. It was a quick mod to a couple of lines and has worked well in my tests.
I have found a couple cases where SYNACK will not work but just ACK will:
Zombie is listening on TCP port 55, it's being forwarded via iptables to another port on the same machine (22). If I send SYN/ACK (tcpflags 18) packets I get no response from the zombie. If I send ACK (tcpflags 16) packets I get RST from the zombie and the scan works.
SYN/ACK:SENT (0.4320s) TCP xx.yy.zz.ME:44951 > xx.yy.zz.ZOMBIE:55 SA ttl=53 id=32040 iplen=44 seq=3245032422 win=2048 ack=278882775 Idlescan zombie xx.yy.zz.ZOMBIE (xx.yy.zz.ZOMBIE) port 55 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.
QUITTING! ACK:SENT (0.1810s) TCP xx.yy.zz.ME:45762 > xx.yy.zz.ZOMBIE:55 A ttl=58 id=4557 iplen=44 seq=395955956 win=3072 ack=3026693419 RCVD (0.1810s) TCP xx.yy.zz.ZOMBIE:55 > xx.yy.zz.ME:45762 R ttl=64 id=54084 iplen=40 seq=3026693419 win=0 Idlescan using zombie xx.yy.zz.ZOMBIE (xx.yy.zz.ZOMBIE:55); Class: Incremental
Certainly a unique situation but still possible.
Attachment:
nmap-4.02Alpha2-idleflags.diff.txt
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Patch: Setting the flags for Idlescan Kurt Grutzmacher (Mar 16)
- Re: Patch: Setting the flags for Idlescan Fyodor (Mar 16)
- Re: Patch: Setting the flags for Idlescan Kurt Grutzmacher (Mar 16)
- Re: Patch: Setting the flags for Idlescan Fyodor (Mar 16)
- Re: Patch: Setting the flags for Idlescan Kurt Grutzmacher (Mar 16)
- Re: Patch: Setting the flags for Idlescan Kurt Grutzmacher (Mar 16)
- Re: Patch: Setting the flags for Idlescan Fyodor (Mar 16)