Nmap Development mailing list archives
Help me Obi-Wan Kenobi. You're my only hope! (Need your help understanding the ACK scan.)
From: Daniel Lowrie <daniellowrie290 () gmail com>
Date: Wed, 29 Jun 2016 21:09:34 -0400
Dear NMAP Dev team, and/or Fyodor, I have been struggling with understanding the nmap -sA scan for the last week and I could really use your help. According to the documentation, nmap can distinguish stateful firewalls from stateless firewalls by using the -sA or ACK scan, but I'm at a loss as to how one would discern that fact from the nmap output of an ACK scan. I understand that nmap sends ACK flagged packets to the target and the target will respond or not respond based off certain criteria. 1) Target will respond with RST if port is open or closed and unfiltered. 2) Target will NOT respond at all if filter is DROPPING traffic 3) Target will send ICMP error message if filter is REJECTING traffic That being true, then nmap will report any port that responds with RST as *unfiltered* and all the other ports as *filtered*. This looks something like this... (using IPTABLES firewall with stateless rule(s) ) $ sudo nmap -sA -T4 192.168.219.135 Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-28 16:35 EDT Nmap scan report for metasploitable (192.168.219.135) Host is up (0.00027s latency). Not shown: 994 filtered ports PORT STATE SERVICE 22/tcp unfiltered ssh 25/tcp unfiltered smtp 53/tcp unfiltered domain 70/tcp unfiltered gopher 80/tcp unfiltered http 113/tcp unfiltered ident MAC Address: 00:0C:29:B7:F7:70 (VMware) Nmap done: 1 IP address (1 host up) scanned in 4.40 seconds Based off of that output, how would one discern whether this was stateful or stateless? I've been reading everything I can on the subject, including the nmap book, and none of the examples makes sense to me. This is basically the same output as example 10.2 in the nmap book; in fact it is almost identical! The problem is that the nmap book states that this is the output from nmap that targeted a host running IPTABLES with STATEFUL rules! If I can get the same output from a stateless firewall as I can from a stateful firewall, then how am I supposed to tell from the nmap ACK scan which firewall I'm encountering? I'm super frustrated and I really appreciate any help sent my way. If you can't answer, I understand, but if you can I would be forever in your debt. Sincerely, Daniel Lowrie
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Help me Obi-Wan Kenobi. You're my only hope! (Need your help understanding the ACK scan.) Daniel Lowrie (Jul 06)