Nmap Development mailing list archives
Re: NULL scan response
From: Fyodor <fyodor () insecure org>
Date: Fri, 19 Aug 2011 15:13:08 -0700
On Tue, Aug 16, 2011 at 05:04:15PM -0400, Joe McEachern wrote:
We looked into this issue further. Just to recap, when running null TCP scans, a TCP response with RST+ACK is marked as open.
Well, "open|filtered" anyway. But I agree that it should be "closed" or possibly "closed|filtered" instead.
David mentioned the code in scan_engine.cc that should be marking this as closed. However, this code is not running. When tcp_probe_match() is called, it is returning false here: if ((tcp->th_flags & (TH_RST | TH_ACK)) == (TH_RST | TH_ACK) && !(probedata->flags & (TH_SYN | TH_FIN))) { return false; } This seems to exclude the possibility of marking a TCP RST+ACK response as closed during a null scan.
Good catch! We should probably just delete this line, but we need to move carefully to ensure that doesn't allow for probe/response mismatches. Do you happen to know what OS & OS version any of the affected machines (those returning the improper RST/ACK) are running? I will add an item to the Nmap TODO list to solve this. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NULL scan response Matthew Stickney (Jul 13)
- Re: NULL scan response David Fifield (Jul 18)
- Re: NULL scan response Matthew Stickney (Jul 19)
- Message not available
- Re: NULL scan response Joe McEachern (Aug 16)
- Re: NULL scan response Fyodor (Aug 19)
- Re: NULL scan response Joe McEachern (Aug 19)
- Re: NULL scan response David Fifield (Aug 24)
- Re: NULL scan response David Fifield (Jul 18)