Penetration Testing mailing list archives

Re: Nmap/netwag problem.

From: Rogan Dawes <discard () dawes za net>
Date: Thu, 11 Aug 2005 08:09:05 +0200

Pete Herzog wrote:

Kaj,

Anyway. a 'full connect' scan (one that performs the complete three-way
handshake will _always_ (?) be the most reliable.
My sugeestion is to perform either a nmap connect scan on the ports from
both results or to manually telnet to the ports and see the response.



I have to disagree with you here.  A full connect scan is not the most
reliable.  There are many security defensive processes now which require
proper protocol queries to provide a response- I see this very often
with web ports.  If you send anything other than a http request, you
will not see a service behind the web port.

Excuse me? Are you suggesting that if I send a Syn to port 80, and don'tget a Syn/Ack back, I should just go ahead and send a "GET / HTTP/1.0",in case there is some kind of application level firewall that will onlypass my original Syn if it sees a valid HTTP request following it?


Sounds like someone is redefining TCP, to me!

I can't imagine any TCP/IP implementation (bar Microsoft, of course!)that would be so braindead, and would actually do anything further ifthe Syn/Ack was never received.

At the very least, once the full TCP connect scan has identified thatthere IS a service running on a particular port, you can then try toidentify the service by prodding it with various protocols, and seeingwhich respond. I certainly agree with your statement that many servicesdo not respond with layer 4 (?) protocol data, if the input is notwell-formed.

But the original statement was with regards to identifying that a (ANY)service is actually listening on a particular port. And I tend to agreethat a full connect scan is more reliable than a Syn scan.


Regards,

Rogan

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

Current thread:

Nmap/netwag problem. Aleph One (Aug 09)
- Re: Nmap/netwag problem. James Riden (Aug 10)
- RE: Nmap/netwag problem. Irene Abezgauz (Aug 10)
- Re: Nmap/netwag problem. Kaj Huisman (Aug 10)
  - Re: Nmap/netwag problem. Pete Herzog (Aug 10)
    - Re: Nmap/netwag problem. Bill Weiss (Aug 11)
    - Re: Nmap/netwag problem. Kaj Huisman (Aug 11)
    - Re: Nmap/netwag problem. Rogan Dawes (Aug 11)
    - Re: Nmap/netwag problem. Pete Herzog (Aug 11)
    - Re: Nmap/netwag problem. Irene Abezgauz (Aug 11)
    - Re: Nmap/netwag problem. Daniel Miessler (Aug 12)
    - Re: Nmap/netwag problem. Pete Herzog (Aug 12)
    - RE: Nmap/netwag problem. Omar Herrera (Aug 11)
  - Re: Nmap/netwag problem. Martin Mačok (Aug 11)
- Re: Nmap/netwag problem. Josh Zlatin-Amishav (Aug 10)
- <Possible follow-ups>
- RE: Nmap/netwag problem. Drage, Nick (Aug 10)
- Re: Nmap/netwag problem. eliudgarcia (Aug 10)
  - RE: Nmap/netwag problem. Irene Abezgauz (Aug 11)

(Thread continues...)