Penetration Testing mailing list archives
Re: Nmap/netwag problem.
From: Rogan Dawes <discard () dawes za net>
Date: Thu, 11 Aug 2005 08:09:05 +0200
Pete Herzog wrote:
Kaj,Anyway. a 'full connect' scan (one that performs the complete three-way handshake will _always_ (?) be the most reliable. My sugeestion is to perform either a nmap connect scan on the ports from both results or to manually telnet to the ports and see the response.I have to disagree with you here. A full connect scan is not the most reliable. There are many security defensive processes now which require proper protocol queries to provide a response- I see this very often with web ports. If you send anything other than a http request, you will not see a service behind the web port.
Excuse me? Are you suggesting that if I send a Syn to port 80, and don't get a Syn/Ack back, I should just go ahead and send a "GET / HTTP/1.0", in case there is some kind of application level firewall that will only pass my original Syn if it sees a valid HTTP request following it?
Sounds like someone is redefining TCP, to me!I can't imagine any TCP/IP implementation (bar Microsoft, of course!) that would be so braindead, and would actually do anything further if the Syn/Ack was never received.
At the very least, once the full TCP connect scan has identified that there IS a service running on a particular port, you can then try to identify the service by prodding it with various protocols, and seeing which respond. I certainly agree with your statement that many services do not respond with layer 4 (?) protocol data, if the input is not well-formed.
But the original statement was with regards to identifying that a (ANY) service is actually listening on a particular port. And I tend to agree that a full connect scan is more reliable than a Syn scan.
Regards, Rogan ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Nmap/netwag problem. Aleph One (Aug 09)
- Re: Nmap/netwag problem. James Riden (Aug 10)
- RE: Nmap/netwag problem. Irene Abezgauz (Aug 10)
- Re: Nmap/netwag problem. Kaj Huisman (Aug 10)
- Re: Nmap/netwag problem. Pete Herzog (Aug 10)
- Re: Nmap/netwag problem. Bill Weiss (Aug 11)
- Re: Nmap/netwag problem. Kaj Huisman (Aug 11)
- Re: Nmap/netwag problem. Rogan Dawes (Aug 11)
- Re: Nmap/netwag problem. Pete Herzog (Aug 11)
- Re: Nmap/netwag problem. Irene Abezgauz (Aug 11)
- Re: Nmap/netwag problem. Daniel Miessler (Aug 12)
- Re: Nmap/netwag problem. Pete Herzog (Aug 12)
- Re: Nmap/netwag problem. Pete Herzog (Aug 10)
- RE: Nmap/netwag problem. Omar Herrera (Aug 11)
- <Possible follow-ups>
- RE: Nmap/netwag problem. Drage, Nick (Aug 10)
- Re: Nmap/netwag problem. eliudgarcia (Aug 10)
- RE: Nmap/netwag problem. Irene Abezgauz (Aug 11)