Re: Nmap/netwag problem.

[Kaj Huisman <kaj.huisman () gmail com>]

Paul J Docherty wrote:
> <snip>
> # nmap -P0 -p80,99,113 scanme.nmap.org
>
> As you can see above, Nmap starts by sending a SYN probe back to each
> of the three ports.  Port 113 replies with the RA (RST/ACK) flags and
> thus is listed by Nmap as closed.  Port 80 returns SA (SYN/ACK) and so
> is listed as open.  Port 99 does not reply, so Nmap retransmits after
> 1.1 seconds.  There is still no reply, so Nmap lists the port as
> filtered.
> </snip>


There remains a difference
# nmap -sT -P0 -p80,99,113
syn_to_server
if syn_ack_from_server,ack_to_server, wait, port = open
if syn_rst_from_server, port = closed
else, retry x times
port = filtered
#nmap -sS -P0 -p80,99,113
syn_to_server,
if reply_from_server: syn_rst/aka closed/ do nothing
                      syn_ack/aka open/->to_server_syn_rst
else retry x times
port = filtered

While connecting an error may occur, for this example it occurs at time 
of the server receival of the package with ack.
If i set iptables to reject input packets with the ack bit set, it would 
result in a 'destination port unreachable' icmp error on the receival of 
the ack packet from the client.
Note specifically here that this packet will not get sent upon receival 
of a SYN-RST packet, so the -sS scan never notices.
Im pretty sure -sT either reports the port as closed or as filtered in 
this case. Let us try.
/**/
Example:

(on 192.x.x.a)
# iptables -F
# iptables -P INPUT ACCEPT
# iptables -A INPUT -p tcp --tcp-flags ALL ACK -j REJECT

(on 192.x.x.b)
# nmap -sT 192.168.0.a
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-15 18:10 
CEST
All 1663 scanned ports on 192.x.x.a are: closed
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)

Nmap finished: 1 IP address (1 host up) scanned in 1.055 seconds

# nmap -sS 192.x.x.a ( http://www.insecure.org/nmap/ ) at 2005-08-15 
18:10 CEST
Interesting ports on 192.x.x.a:
(The 1661 ports scanned but not shown below are in state: closed)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)

Nmap finished: 1 IP address (1 host up) scanned in 1.304 seconds

# telnet 192.x.x.a 21
Escape char ^H
                // <--nothing happens

This will keep the server in SYN_RECV for a bunch of minutes.

I hope this explains as of why the -sT is the most reliable method of 
verifying if a port is open (aka connect(); == success) or not.


/**/

We have however diverted away from the original question (about a box 
with port 80 and 1723 either open or filtered and ways to narrow down 
your results). I suggest we end this thread.

G'Day
Kaj


------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------