Nmap Development mailing list archives
Re: NULL scan response
From: David Fifield <david () bamsoftware com>
Date: Mon, 18 Jul 2011 17:02:31 -0700
On Wed, Jul 13, 2011 at 10:56:19AM -0400, Matthew Stickney wrote:
Hi, While running some scans today, I noticed something strange. Some machines respond to a NULL scan probe with a RST/ACK packet rather than a plain RST. This is clearly different than receiving no response, or getting an ICMP unreachable error, but NMap still lists the port as open|filtered. I noticed similar behavior with FIN and Xmas scans (one machine sends FIN/PUSH/URG in response to Xmas, another RST/ACK, but in both cases NMap lists the port as open|filtered). The relevant RFC requires a plain RST to be sent, but is labelling these ports open|filtered the expected behavior from NMap, or a bug? Example scan follows. $ sudo nmap 172.16.1.198 -n -Pn -sN --packet-trace -p 50 Starting Nmap 5.51 ( http://nmap.org ) at 2011-07-13 10:44 EDT SENT (0.2370s) ARP who-has 172.16.1.198 tell 172.16.1.181 RCVD (0.2380s) ARP reply 172.16.1.198 is-at 00:1C:C0:93:33:FB SENT (0.5660s) TCP 172.16.1.181:61318 > 172.16.1.198:50 ttl=58 id=37325 iplen=40 seq=748468818 win=3072 RCVD (0.5760s) TCP 172.16.1.198:50 > 172.16.1.181:61318 RA ttl=64 id=0 iplen=40 seq=0 win=0 SENT (0.6670s) TCP 172.16.1.181:61319 > 172.16.1.198:50 ttl=48 id=2691 iplen=40 seq=748534355 win=1024 RCVD (0.6670s) TCP 172.16.1.198:50 > 172.16.1.181:61319 RA ttl=64 id=0 iplen=40 seq=0 win=0 Nmap scan report for 172.16.1.198 Host is up (0.00018s latency). PORT STATE SERVICE 50/tcp open|filtered re-mail-ck Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds
The code should already be interpreting RST+ACK as a closed port. Here is the part I think is responsible in scan_engine.cc: /* Now that response has been matched to a probe, I interpret it */ if (USI->scantype == SYN_SCAN && (tcp->th_flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) { /* Yeah! An open port */ newstate = PORT_OPEN; current_reason = ER_SYNACK; } else if (tcp->th_flags & TH_RST) { current_reason = ER_RESETPEER; if (USI->scantype == WINDOW_SCAN ) { newstate = (tcp->th_win)? PORT_OPEN : PORT_CLOSED; } else if (USI->scantype == ACK_SCAN) { newstate = PORT_UNFILTERED; } else newstate = PORT_CLOSED; } else if (USI->scantype == SYN_SCAN && (tcp->th_flags & TH_SYN)) { /* A SYN from a TCP Split Handshake - http://nmap.org/misc/split-handshake.pdf - open port */ newstate = PORT_OPEN; current_reason = ER_SYN; } else { if (o.debugging) error("Received scan response with unexpected TCP flags: %d", tcp->th_flags); break; } Try running with -d3 and see if there are any helpful debugging messages. Also, it may help if you can send a complete packet capture. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NULL scan response Matthew Stickney (Jul 13)
- Re: NULL scan response David Fifield (Jul 18)
- Re: NULL scan response Matthew Stickney (Jul 19)
- Message not available
- Re: NULL scan response Joe McEachern (Aug 16)
- Re: NULL scan response Fyodor (Aug 19)
- Re: NULL scan response Joe McEachern (Aug 19)
- Re: NULL scan response David Fifield (Aug 24)
- Re: NULL scan response David Fifield (Jul 18)