RE: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?

From: Jeff Gercken (JeffG_at_kizan.com)
Date: 01/10/05

  • Next message: SandroMelo-CSO: "Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"
    Date: Mon, 10 Jan 2005 14:55:59 -0500
    To: "S C" <contrera@eig.unige.ch>, <focus-linux@securityfocus.com>
    
    

    Which version of Nmap? What OS is it running on? Is it a virtual
    machine?

    With nmap 3.55 on Gentoo 2004.3 w/ kernel 2.4.25 I get:

    nmap -sT -P0 -p135-136 spork
    135/tcp open msrpc
    136/tcp closed profile

    nmap -sS -P0 -p135-136 spork
    135/tcp open msrpc
    136/tcp closed profile

    -Jeff

    -----Original Message-----
    From: S C [mailto:contrera@eig.unige.ch]
    Sent: Friday, January 07, 2005 11:40 AM
    To: focus-linux@securityfocus.com
    Subject: NMAP : Different interpretation of "filtered" ports depending
    on -sS or -sT options. Bug ?

    Hi

     

    When scanning machine B (IP=192.168.254.10, no firewall on this machine
    and no application listening on port 136) with NMAP (NMAP on machine A),
    NMAP gives me two different output depending on the options (-sS or
    -sT).

     

    1/ When the command line is : nmap.exe -sS -p 135-136 -P0
    192.168.254.10

     

    The output is :

    Port State Service

    135/tcp open msrpc

    136/tcp closed profile

     

    I made a dump of packet generated by NMAP with Ethereal

    No Source Destination Protocol
    Info

    1 192.168.254.2 192.168.254.10 TCP
    3501 > 135 [SYN]

    2 192.168.254.10 192.168.254.2 TCP
    135 > 3501 [SYN, ACK]

    3 192.168.254.2 192.168.254.10 TCP
    3501 > 135 [RST]

    4 192.168.254.2 192.168.254.10 TCP
    3501 > 136 [SYN]

    5 192.168.254.10 192.168.254.2 TCP
    136 > 3501 [RST, ACK]

     

    2/ When the command line is : nmap.exe -sT -p 135-136 -P0
    192.168.254.10

     

    The output is :

    Port State Service

    135/tcp open msrpc

    136/tcp filtered profile

     

    I made a dump of packet generated by NMAP with Ethereal

    No Source Destination Protocol Info

    1 192.168.254.2 192.168.254.10 TCP 4101 > 136
    [SYN]

    2 192.168.254.10 192.168.254.2 TCP 136 > 4101
    [RST, ACK]

    3 192.168.254.2 192.168.254.10 TCP 4102 > 135
    [SYN]

    4 192.168.254.10 192.168.254.2 TCP 135 > 4102
    [SYN, ACK]

    5 192.168.254.2 192.168.254.10 TCP 4102 > 135
    [ACK]

    6 192.168.254.2 192.168.254.10 TCP 4102 > 135
    [RST, ACK]

    7 192.168.254.2 192.168.254.10 TCP 4103 > 136
    [SYN]

    8 192.168.254.10 192.168.254.2 TCP 136 > 4103
    [RST, ACK]

     

    If we look at packets corresponding to port 136, the packet sequence is
    always (independently I use the -sS or -sT options) :

     A > B [SYN]

     B < A [RST, ACK]

     

    So my question is :

    Why NMAP say that port 136 is closed in case 1/, and filtered in case 2/
    whereas the packet generated are the same ?

    Is this a bug ? or do I forget something ?

     

    Thanks for your responses..

     

    SC

     

      


  • Next message: SandroMelo-CSO: "Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"

    Relevant Pages