Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: osscan2.cc ACK/URG anomaly

From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 9 Aug 2014 15:13:18 -0500
Gisle,

The documentation on Nmap's OS detection [1] has this to say regarding the
urgent field:


TCP explicit congestion notification (ECN): [...] For an unrelated (to

ECN)

test, the urgent field value of 0xF7F5 is used even though the urgent

flag is

not set. [...]


Then later:


The other quirk Nmap tests for is a nonzero urgent pointer field value

when

the URG flag is not set. This is also particularly likely to be seen in
response to the ECN probe, which sets a non-zero urgent field.


Regarding acknowledgement number,


The sequence and acknowledgment numbers are random (but saved so
Nmap can differentiate responses).


This is the HostOsScan::tcpAck member in osscan2.cc. Perhaps it would be
best only to send this when the ACK flag is set, but that might invalidate
some of our OS database. Regardless, this is the intended behavior, not a
bug.

Thanks for the questions! Answering this sort of thing always teaches me
something new, too.

Dan

[1] http://nmap.org/book/osdetect-methods.html


On Sat, Aug 9, 2014 at 5:37 AM, Gisle Vanem <gvanem () yahoo no> wrote:


Regarding my message:
 http://seclists.org/nmap-dev/2014/q1/169

I think I've found the cause of this ACK/URG anomaly. But would like to
ask here first...

void HostOsScan::sendTEcnProbe(HostOsScanStats *hss) {
...
 send_tcp_probe(hss, o.ttl, false, NULL, 0,
                tcpPortBase + NUM_SEQ_SAMPLES + 6, hss->openTCPPort,
                tcpSeqBase, 0,
                8, TH_CWR|TH_ECE|TH_SYN, prbWindowSz[6], 63477,  << line
1791
                prbOpts[6].val, prbOpts[6].len, NULL, 0);
}

Why does it send a URG-value without the TH_URG flag set here?
IMHO, this should be:
                8, TH_CWR|TH_ECE|TH_SYN|TH_URG, prbWindowSz[6], 63477,

The same problem with the ACK-flag; in several places the 'tcpAck != 0'
member can be sent with no TH_ACK set. Is this an oversight or working as
designed?

So now after a local patch to osscan2.cc, the 'nmap -sT -ddd ...' output
for call at
line 1791 gives:
 SENT (6.3910s) TCP [10.0.0.6:39171 > 10.0.0.1:22 SUEC seq=250798708
ack=0  off=8 res=8 win=3 csum=0xC6B7 urp=63477 <wscale 10,nop,mss
1460,sackOK,
 nop,nop>] IP [ver=4 ihl=5 tos=0x00 iplen=52 id=63235 foff=0 ttl=49
proto=6 csum=0x7eba]
Send probe (type: OFP_TECN, subid: 0) to 10.0.0.1

The 'U' says the URG-value is !=0. Makes more sense?

--gv
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: