Nmap Development mailing list archives
Re: NULL scan response
From: David Fifield <david () bamsoftware com>
Date: Wed, 24 Aug 2011 22:37:30 -0700
On Fri, Aug 19, 2011 at 07:38:39PM -0400, Joe McEachern wrote:
Hi, I did go back and try old versions of nmap (3.x and 4.x) and you do see the ports marked as closed. We originally thought the RST+ACK response was not correct based on RFC 793. But after looking at this in more detail, I think the RST+ACK response is actually correct for a null scan to a closed port. If the state is CLOSED (i.e., TCB does not exist) then all data in the incoming segment is discarded. An incoming segment containing a RST is discarded. An incoming segment not containing a RST causes a RST to be sent in response. The acknowledgment and sequence field values are selected to make the reset sequence acceptable to the TCP that sent the offending segment. If the ACK bit is off, sequence number zero is used, *<SEQ=0><ACK=SEG.SEQ+SEG.LEN><CTL=RST,ACK>* If the ACK bit is on, <SEQ=SEG.ACK><CTL=RST> Return. I think both checks for RST+ACK and RST in scan_engine.cc don't allow some of the scan types to match up probes. Beside the null scan, we see a similar issue with the push scan and maimon scans.
Thanks for your hard work and investigation into this. I have remove the RST/ACK and RST matching conditions. I'm not sure why I added those specific rules in the first place; I might have misunderstood the section of RFC 793 you quoted above. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NULL scan response Matthew Stickney (Jul 13)
- Re: NULL scan response David Fifield (Jul 18)
- Re: NULL scan response Matthew Stickney (Jul 19)
- Message not available
- Re: NULL scan response Joe McEachern (Aug 16)
- Re: NULL scan response Fyodor (Aug 19)
- Re: NULL scan response Joe McEachern (Aug 19)
- Re: NULL scan response David Fifield (Aug 24)
- Re: NULL scan response David Fifield (Jul 18)