Penetration Testing mailing list archives
Re: Nmap/netwag problem.
From: Kaj Huisman <kaj.huisman () gmail com>
Date: Mon, 15 Aug 2005 19:12:06 +0200
Paul J Docherty wrote:
<snip> # nmap -P0 -p80,99,113 scanme.nmap.org As you can see above, Nmap starts by sending a SYN probe back to each of the three ports. Port 113 replies with the RA (RST/ACK) flags and thus is listed by Nmap as closed. Port 80 returns SA (SYN/ACK) and so is listed as open. Port 99 does not reply, so Nmap retransmits after 1.1 seconds. There is still no reply, so Nmap lists the port as filtered. </snip>
There remains a difference # nmap -sT -P0 -p80,99,113 syn_to_server if syn_ack_from_server,ack_to_server, wait, port = open if syn_rst_from_server, port = closed else, retry x times port = filtered #nmap -sS -P0 -p80,99,113 syn_to_server, if reply_from_server: syn_rst/aka closed/ do nothing syn_ack/aka open/->to_server_syn_rst else retry x times port = filteredWhile connecting an error may occur, for this example it occurs at time of the server receival of the package with ack. If i set iptables to reject input packets with the ack bit set, it would result in a 'destination port unreachable' icmp error on the receival of the ack packet from the client. Note specifically here that this packet will not get sent upon receival of a SYN-RST packet, so the -sS scan never notices. Im pretty sure -sT either reports the port as closed or as filtered in this case. Let us try.
/**/ Example: (on 192.x.x.a) # iptables -F # iptables -P INPUT ACCEPT # iptables -A INPUT -p tcp --tcp-flags ALL ACK -j REJECT (on 192.x.x.b) # nmap -sT 192.168.0.aStarting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-15 18:10 CEST
All 1663 scanned ports on 192.x.x.a are: closed MAC Address: xx:xx:xx:xx:xx:xx (Unknown) Nmap finished: 1 IP address (1 host up) scanned in 1.055 seconds# nmap -sS 192.x.x.a ( http://www.insecure.org/nmap/ ) at 2005-08-15 18:10 CEST
Interesting ports on 192.x.x.a: (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh MAC Address: xx:xx:xx:xx:xx:xx (Unknown) Nmap finished: 1 IP address (1 host up) scanned in 1.304 seconds # telnet 192.x.x.a 21 Escape char ^H // <--nothing happens This will keep the server in SYN_RECV for a bunch of minutes.I hope this explains as of why the -sT is the most reliable method of verifying if a port is open (aka connect(); == success) or not.
/**/We have however diverted away from the original question (about a box with port 80 and 1723 either open or filtered and ways to narrow down your results). I suggest we end this thread.
G'Day Kaj ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- RE: Nmap/netwag problem., (continued)
- RE: Nmap/netwag problem. Drage, Nick (Aug 10)
- Re: Nmap/netwag problem. eliudgarcia (Aug 10)
- RE: Nmap/netwag problem. Irene Abezgauz (Aug 11)
- RE: Nmap/netwag problem. laurent . constantin (Aug 11)
- RE: Nmap/netwag problem. Paul J Docherty (Aug 11)
- Re: Nmap/netwag problem. Kaj Huisman (Aug 12)
- Re: Nmap/netwag problem. Fyodor (Aug 12)
- RE: Nmap/netwag problem. ankush.kapoor (Aug 12)
- Re: Nmap/netwag problem. ilaiy (Aug 12)
- RE: Nmap/netwag problem. Paul J Docherty (Aug 15)
- Re: Nmap/netwag problem. Kaj Huisman (Aug 15)