Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?
From: SandroMelo-CSO (sandro_at_4linux.com.br)
Date: 01/11/05
- Previous message: Jeff Gercken: "RE: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"
- In reply to: Jeff Gercken: "RE: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Jan 2005 17:09:46 -0200 To: Jeff Gercken <JeffG@kizan.com>
Jeff Gercken
For port scanning with techincal TCP/SYN
nmap send one packet with SYN flags, if receive SYN/ACK open else, if
receive RST closed.
nmap -sS -P0 -n -p<port or range port> <host target>
nmap send one packet with SYN flags, if receive SYN/ACK open else and
send one ACK follow the one RST/ACK, if receive RST closed.
nmap -sT -P0 -n -p<port or range port> <host target>
Look format of command:
TCP SYN
# nmap -sS -P0 -n -p135-137 --packet_trace <ip target>
TCP Vanilla Connect
# nmap -sT -P0 -n -p135-137 --packet_trace <ip target>
Bye
Sandro Melo
>Which version of Nm
>
\\
>ap? What OS is it running on? Is it a virtual
>machine?
>
>With nmap 3.55 on Gentoo 2004.3 w/ kernel 2.4.25 I get:
>
>nmap -sT -P0 -p135-136 spork
>135/tcp open msrpc
>136/tcp closed profile
>
>nmap -sS -P0 -p135-136 spork
>135/tcp open msrpc
>136/tcp closed profile
>
>-Jeff
>
>-----Original Message-----
>From: S C [mailto:contrera@eig.unige.ch]
>Sent: Friday, January 07, 2005 11:40 AM
>To: focus-linux@securityfocus.com
>Subject: NMAP : Different interpretation of "filtered" ports depending
>on -sS or -sT options. Bug ?
>
>
>
>Hi
>
>
>
>When scanning machine B (IP=192.168.254.10, no firewall on this machine
>and no application listening on port 136) with NMAP (NMAP on machine A),
>NMAP gives me two different output depending on the options (-sS or
>-sT).
>
>
>
>
>
>1/ When the command line is : nmap.exe -sS -p 135-136 -P0
>192.168.254.10
>
>
>
>The output is :
>
>Port State Service
>
>135/tcp open msrpc
>
>136/tcp closed profile
>
>
>
>I made a dump of packet generated by NMAP with Ethereal
>
>No Source Destination Protocol
>Info
>
>1 192.168.254.2 192.168.254.10 TCP
>3501 > 135 [SYN]
>
>2 192.168.254.10 192.168.254.2 TCP
>135 > 3501 [SYN, ACK]
>
>3 192.168.254.2 192.168.254.10 TCP
>3501 > 135 [RST]
>
>4 192.168.254.2 192.168.254.10 TCP
>3501 > 136 [SYN]
>
>5 192.168.254.10 192.168.254.2 TCP
>136 > 3501 [RST, ACK]
>
>
>
>
>
>2/ When the command line is : nmap.exe -sT -p 135-136 -P0
>192.168.254.10
>
>
>
>The output is :
>
>Port State Service
>
>135/tcp open msrpc
>
>136/tcp filtered profile
>
>
>
>I made a dump of packet generated by NMAP with Ethereal
>
>No Source Destination Protocol Info
>
>1 192.168.254.2 192.168.254.10 TCP 4101 > 136
>[SYN]
>
>2 192.168.254.10 192.168.254.2 TCP 136 > 4101
>[RST, ACK]
>
>3 192.168.254.2 192.168.254.10 TCP 4102 > 135
>[SYN]
>
>4 192.168.254.10 192.168.254.2 TCP 135 > 4102
>[SYN, ACK]
>
>5 192.168.254.2 192.168.254.10 TCP 4102 > 135
>[ACK]
>
>6 192.168.254.2 192.168.254.10 TCP 4102 > 135
>[RST, ACK]
>
>7 192.168.254.2 192.168.254.10 TCP 4103 > 136
>[SYN]
>
>8 192.168.254.10 192.168.254.2 TCP 136 > 4103
>[RST, ACK]
>
>
>
>If we look at packets corresponding to port 136, the packet sequence is
>always (independently I use the -sS or -sT options) :
>
> A > B [SYN]
>
> B < A [RST, ACK]
>
>
>
>So my question is :
>
>Why NMAP say that port 136 is closed in case 1/, and filtered in case 2/
>whereas the packet generated are the same ?
>
>Is this a bug ? or do I forget something ?
>
>
>
>Thanks for your responses..
>
>
>
>SC
>
>
>
>
>
>
>
>
- Previous message: Jeff Gercken: "RE: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"
- In reply to: Jeff Gercken: "RE: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
