RE: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?
From: Jeff Gercken (JeffG_at_kizan.com)
Date: 01/10/05
- Previous message: S C: "NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"
- Next in thread: SandroMelo-CSO: "Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"
- Reply: SandroMelo-CSO: "Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 10 Jan 2005 14:55:59 -0500 To: "S C" <contrera@eig.unige.ch>, <focus-linux@securityfocus.com>
Which version of Nmap? What OS is it running on? Is it a virtual
machine?
With nmap 3.55 on Gentoo 2004.3 w/ kernel 2.4.25 I get:
nmap -sT -P0 -p135-136 spork
135/tcp open msrpc
136/tcp closed profile
nmap -sS -P0 -p135-136 spork
135/tcp open msrpc
136/tcp closed profile
-Jeff
-----Original Message-----
From: S C [mailto:contrera@eig.unige.ch]
Sent: Friday, January 07, 2005 11:40 AM
To: focus-linux@securityfocus.com
Subject: NMAP : Different interpretation of "filtered" ports depending
on -sS or -sT options. Bug ?
Hi
When scanning machine B (IP=192.168.254.10, no firewall on this machine
and no application listening on port 136) with NMAP (NMAP on machine A),
NMAP gives me two different output depending on the options (-sS or
-sT).
1/ When the command line is : nmap.exe -sS -p 135-136 -P0
192.168.254.10
The output is :
Port State Service
135/tcp open msrpc
136/tcp closed profile
I made a dump of packet generated by NMAP with Ethereal
No Source Destination Protocol
Info
1 192.168.254.2 192.168.254.10 TCP
3501 > 135 [SYN]
2 192.168.254.10 192.168.254.2 TCP
135 > 3501 [SYN, ACK]
3 192.168.254.2 192.168.254.10 TCP
3501 > 135 [RST]
4 192.168.254.2 192.168.254.10 TCP
3501 > 136 [SYN]
5 192.168.254.10 192.168.254.2 TCP
136 > 3501 [RST, ACK]
2/ When the command line is : nmap.exe -sT -p 135-136 -P0
192.168.254.10
The output is :
Port State Service
135/tcp open msrpc
136/tcp filtered profile
I made a dump of packet generated by NMAP with Ethereal
No Source Destination Protocol Info
1 192.168.254.2 192.168.254.10 TCP 4101 > 136
[SYN]
2 192.168.254.10 192.168.254.2 TCP 136 > 4101
[RST, ACK]
3 192.168.254.2 192.168.254.10 TCP 4102 > 135
[SYN]
4 192.168.254.10 192.168.254.2 TCP 135 > 4102
[SYN, ACK]
5 192.168.254.2 192.168.254.10 TCP 4102 > 135
[ACK]
6 192.168.254.2 192.168.254.10 TCP 4102 > 135
[RST, ACK]
7 192.168.254.2 192.168.254.10 TCP 4103 > 136
[SYN]
8 192.168.254.10 192.168.254.2 TCP 136 > 4103
[RST, ACK]
If we look at packets corresponding to port 136, the packet sequence is
always (independently I use the -sS or -sT options) :
A > B [SYN]
B < A [RST, ACK]
So my question is :
Why NMAP say that port 136 is closed in case 1/, and filtered in case 2/
whereas the packet generated are the same ?
Is this a bug ? or do I forget something ?
Thanks for your responses..
SC
- Previous message: S C: "NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"
- Next in thread: SandroMelo-CSO: "Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"
- Reply: SandroMelo-CSO: "Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
