Re: NULL scan response

[David Fifield <david () bamsoftware com>]

On Fri, Aug 19, 2011 at 07:38:39PM -0400, Joe McEachern wrote:
> Hi,
>
> I did go back and try old versions of nmap (3.x and 4.x) and you do see the
> ports marked as closed. We originally thought the RST+ACK response was not
> correct based on RFC 793. But after looking at this in more detail, I think
> the RST+ACK response is actually correct for a null scan to a closed port.
>
> If the state is CLOSED (i.e., TCB does not exist) then
>
> all data in the incoming segment is discarded. An incoming
> segment containing a RST is discarded. An incoming segment not
> containing a RST causes a RST to be sent in response. The
> acknowledgment and sequence field values are selected to make the
> reset sequence acceptable to the TCP that sent the offending
> segment.
>
> If the ACK bit is off, sequence number zero is used,
>
> *<SEQ=0><ACK=SEG.SEQ+SEG.LEN><CTL=RST,ACK>*
>
> If the ACK bit is on,
>
> <SEQ=SEG.ACK><CTL=RST>
>
> Return.
>
> I think both checks for RST+ACK and RST in scan_engine.cc don't allow some
> of the scan types to match up probes. Beside the null scan, we see a similar
> issue with the push scan and maimon scans.

Thanks for your hard work and investigation into this. I have remove the
RST/ACK and RST matching conditions. I'm not sure why I added those
specific rules in the first place; I might have misunderstood the
section of RFC 793 you quoted above.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/