Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?

From: SandroMelo-CSO (sandro_at_4linux.com.br)
Date: 01/11/05

  • Next message: Tales Teixeira: "Encrypted Filesystems"
    Date: Tue, 11 Jan 2005 17:09:46 -0200
    To: Jeff Gercken <JeffG@kizan.com>
    
    

    Jeff Gercken

    For port scanning with techincal TCP/SYN

    nmap send one packet with SYN flags, if receive SYN/ACK open else, if
    receive RST closed.

    nmap -sS -P0 -n -p<port or range port> <host target>

    nmap send one packet with SYN flags, if receive SYN/ACK open else and
    send one ACK follow the one RST/ACK, if receive RST closed.

    nmap -sT -P0 -n -p<port or range port> <host target>

    Look format of command:

    TCP SYN

    # nmap -sS -P0 -n -p135-137 --packet_trace <ip target>

    TCP Vanilla Connect

    # nmap -sT -P0 -n -p135-137 --packet_trace <ip target>

    Bye

    Sandro Melo

    >Which version of Nm
    >
    \\

    >ap? What OS is it running on? Is it a virtual
    >machine?
    >
    >With nmap 3.55 on Gentoo 2004.3 w/ kernel 2.4.25 I get:
    >
    >nmap -sT -P0 -p135-136 spork
    >135/tcp open msrpc
    >136/tcp closed profile
    >
    >nmap -sS -P0 -p135-136 spork
    >135/tcp open msrpc
    >136/tcp closed profile
    >
    >-Jeff
    >
    >-----Original Message-----
    >From: S C [mailto:contrera@eig.unige.ch]
    >Sent: Friday, January 07, 2005 11:40 AM
    >To: focus-linux@securityfocus.com
    >Subject: NMAP : Different interpretation of "filtered" ports depending
    >on -sS or -sT options. Bug ?
    >
    >
    >
    >Hi
    >
    >
    >
    >When scanning machine B (IP=192.168.254.10, no firewall on this machine
    >and no application listening on port 136) with NMAP (NMAP on machine A),
    >NMAP gives me two different output depending on the options (-sS or
    >-sT).
    >
    >
    >
    >
    >
    >1/ When the command line is : nmap.exe -sS -p 135-136 -P0
    >192.168.254.10
    >
    >
    >
    >The output is :
    >
    >Port State Service
    >
    >135/tcp open msrpc
    >
    >136/tcp closed profile
    >
    >
    >
    >I made a dump of packet generated by NMAP with Ethereal
    >
    >No Source Destination Protocol
    >Info
    >
    >1 192.168.254.2 192.168.254.10 TCP
    >3501 > 135 [SYN]
    >
    >2 192.168.254.10 192.168.254.2 TCP
    >135 > 3501 [SYN, ACK]
    >
    >3 192.168.254.2 192.168.254.10 TCP
    >3501 > 135 [RST]
    >
    >4 192.168.254.2 192.168.254.10 TCP
    >3501 > 136 [SYN]
    >
    >5 192.168.254.10 192.168.254.2 TCP
    >136 > 3501 [RST, ACK]
    >
    >
    >
    >
    >
    >2/ When the command line is : nmap.exe -sT -p 135-136 -P0
    >192.168.254.10
    >
    >
    >
    >The output is :
    >
    >Port State Service
    >
    >135/tcp open msrpc
    >
    >136/tcp filtered profile
    >
    >
    >
    >I made a dump of packet generated by NMAP with Ethereal
    >
    >No Source Destination Protocol Info
    >
    >1 192.168.254.2 192.168.254.10 TCP 4101 > 136
    >[SYN]
    >
    >2 192.168.254.10 192.168.254.2 TCP 136 > 4101
    >[RST, ACK]
    >
    >3 192.168.254.2 192.168.254.10 TCP 4102 > 135
    >[SYN]
    >
    >4 192.168.254.10 192.168.254.2 TCP 135 > 4102
    >[SYN, ACK]
    >
    >5 192.168.254.2 192.168.254.10 TCP 4102 > 135
    >[ACK]
    >
    >6 192.168.254.2 192.168.254.10 TCP 4102 > 135
    >[RST, ACK]
    >
    >7 192.168.254.2 192.168.254.10 TCP 4103 > 136
    >[SYN]
    >
    >8 192.168.254.10 192.168.254.2 TCP 136 > 4103
    >[RST, ACK]
    >
    >
    >
    >If we look at packets corresponding to port 136, the packet sequence is
    >always (independently I use the -sS or -sT options) :
    >
    > A > B [SYN]
    >
    > B < A [RST, ACK]
    >
    >
    >
    >So my question is :
    >
    >Why NMAP say that port 136 is closed in case 1/, and filtered in case 2/
    >whereas the packet generated are the same ?
    >
    >Is this a bug ? or do I forget something ?
    >
    >
    >
    >Thanks for your responses..
    >
    >
    >
    >SC
    >
    >
    >
    >
    >
    >
    >
    >


  • Next message: Tales Teixeira: "Encrypted Filesystems"