Re: PA vs PS

[David Fifield <david () bamsoftware com>]

On Thu, Feb 26, 2009 at 03:16:39AM -0600, fred jones wrote:
> I'm having trouble with PA and PS options.
>
> Regardless of whether I use PA or PS (as either a super user or
> normal) both send only a SYN flag. I was under the impression that PA
> was supposed to set an ACK flag, but no matter what I try it still
> only sets a SYN flag.
>
> I'm using variations of:
>
> sudo ./nmap -v -PA 192.168.1.1 -p80
>
> I've tried this on both os x, and slackware. Sorry for such a newbie
> question, but google and the man page have not been of much
> assistance. Thanks.

It's probably because you're scanning on a local network and Nmap is
using ARP ping instead of what you requested. On a LAN there's no point
to sending an IP-based ping because you would need to do an ARP request
first to send the IP packet, and by the time you get the ARP reply you
already know the host is up. That said, you can force the use of non-ARP
pings with the --send-ip option.

The SYN packet you see is the port scan packet to port 80.

Try using the --packet-trace option to see exactly what's being sent.
Compare the output from these two commands:

        sudo ./nmap -n -sP -PA 192.168.1.1 --packet-trace
        sudo ./nmap -n -sP -PA scanme.nmap.org --packet-trace

In the first case you'll see ARP ping and in the second ACK ping.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org