Re: TCP Split Handshake and Nmap

[David Fifield <david () bamsoftware com>]

On Fri, Jun 04, 2010 at 04:22:55PM +0100, jah wrote:
> The attached patch does very little work since the split handshake SYN
> passes the existing checks for dest port matching a probe source port;
> it adds a test for the SYN flag right after the test for SYN|ACK for SYN
> scans.

+         } else if (USI->scantype == SYN_SCAN && tcp->th_flags == TH_SYN) {

Just one thing I would change here:

+         } else if (USI->scantype == SYN_SCAN && (tcp->th_flags & TH_SYN) == TH_SYN) {

That way it will work with a SYN|URG or SYN|PSH or something else silly.
Putting this test after the SYN|ACK test lets SYN|ACK continue giving
the correct reason code.

> Adding the reason code was a bit of a headfuck, but I seem to
> have managed it without breaking anything (a echo request ping still
> yields an echo-reply as the reason, for instance).

Thanks for taking care with this. The reason codes are way more
complicated than they need to be. It's meant to make it easy to look up,
say, the reason code for a ICMP code with just an addition, but that's
not worth the huge maintenance/understandability problems in my opinion.
(Plus all the places that look up the code have to have knowledge of the
table's magic structure, spreading the complexity around). A couple of
lookup tables from ICMP types/codes to reason codes would be much
better.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/