Nmap Development mailing list archives
RE: Maybe bug, with -sP und ASA sending RST for denied networks
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Fri, 26 Oct 2007 14:58:47 -0400
Interesting comment about the TTL behaviour. As I happen to have an ASA at home, I'll give it a try to see how the TTL differs between an RST sent back by a host *behind* the ASA, and an RST sent by the ASA itself. Thanks, Dario
-----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Pluto Sent: Friday, October 26, 2007 8:51 AM To: nmap-dev () insecure org Subject: Re: Maybe bug, with -sP und ASA sending RST for denied networks On Wed, Oct 24, 2007 at 02:59:36PM -0400, Dario Ciccarone (dciccaro) wrote:Hm. If "ASA" refers to the Cisco Adaptive SecurityAppliance, there is apossible explanation - whoever configured the device enabled the "service resetinbound" option:http://www.cisco.com/en/US/docs/security/asa/asa80/command/ref erence/s1.html#wp1348346 The ICMP probe might then be dropped, and the probe to80/tcp repliedwith an RST. Hard then to determine what is going on justby looking ata packet capture and with no additional info. My money would be on "resetinbound" plus ACL dropping ICMP echo request. But itcould also bethat the ruleset drops indeed ICMP echo request, but has anentry thatsays "permit tcp any host X" - and host X isn't actuallylistening on80/tcp.Actually it would be possible to detect such a behaviour, as in my experience this devices are before a firewall, so nmap usually sees very much RSTs, like ping is dead *and* all scanned ports are "closed", which is odd and could be noticed. Other thing is, when the TTL of the RST is lower than the TTL of a SYN-ACK this could be noticed by nmap as well. With hping you get to see this details, so can differentiate manually. Gruss -- Pluto - SysAdmin of Hades Free information! Freedom through knowledge. Wisdom for all!! =:-) PGP://0xB4BBB4A9?524CB500A8F3EAA2&6A3E5272F9072A17 ICQ: 286852401 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Maybe bug, with -sP und ASA sending RST for denied networks Pluto (Oct 20)
- Re: Maybe bug, with -sP und ASA sending RST for denied networks Fyodor (Oct 22)
- Re: Maybe bug, with -sP und ASA sending RST for denied networks Pluto (Oct 24)
- RE: Maybe bug, with -sP und ASA sending RST for denied networks Dario Ciccarone (dciccaro) (Oct 24)
- Re: Maybe bug, with -sP und ASA sending RST for denied networks Pluto (Oct 26)
- RE: Maybe bug, with -sP und ASA sending RST for denied networks Dario Ciccarone (dciccaro) (Oct 26)
- Re: Maybe bug, with -sP und ASA sending RST for denied networks Fyodor (Oct 22)