Help understanding a trace of an nmap scan
From: Richard Moore (rich_at_westpoint.ltd.uk)
Date: 09/06/04
- Previous message: Kurt Seifried: "Re: [Dailydave] RE: Network Exploitation Tools aka Exploitation Engines"
- Next in thread: Martin Wasson: "Re: Help understanding a trace of an nmap scan"
- Maybe reply: Martin Wasson: "Re: Help understanding a trace of an nmap scan"
- Reply: Omar Herrera: "RE: Help understanding a trace of an nmap scan"
- Reply: Jose Maria Lopez: "Re: Help understanding a trace of an nmap scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 06 Sep 2004 15:11:07 +0100 To: pen-test@securityfocus.com
I wonder if anyone can help me make sense of this packet trace. It shows
nmap running a connect scan against port 13 of a host. The part I don't
understand is why there are 3 RST packets sent to the target machine?
If it helps anyone the target host is a Debian box running 2.4.26 Linux
kernel and the source machine was a RedHat box running 2.4.7-10. The
version of nmap used is 3.48.
Cheers
Rich.
-- Richard Moore, Principle Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031
14:16:23.098150 host.name.deleted > other.host.name: icmp: echo request
14:16:23.108150 host.name.deleted.45639 > other.host.name.http: . ack 901588830 win 1024
14:16:23.108150 other.host.name > host.name.deleted: icmp: echo reply
14:16:23.108150 other.host.name.http > host.name.deleted.45639: R 901588830:901588830(0) win 0 (DF)
14:16:23.428150 host.name.deleted.1073 > other.host.name.daytime: S 2950063922:2950063922(0) win 5840 <mss 1460,sackOK,timestamp 51097216 0,nop,wscale 0> (DF)
14:16:23.438150 other.host.name.daytime > host.name.deleted.1073: S 1866105343:1866105343(0) ack 2950063923 win 5792 <mss 1460,sackOK,timestamp 138541011 51097216,nop,wscale 0> (DF)
14:16:23.438150 host.name.deleted.1073 > other.host.name.daytime: . ack 1 win 5840 <nop,nop,timestamp 51097217 138541011> (DF)
14:16:23.438150 host.name.deleted.1073 > other.host.name.daytime: R 1:1(0) ack 1 win 5840 <nop,nop,timestamp 51097217 138541011> (DF)
Interesting ports on other.host.name (194.153.168.235):
14:16:23.448150 other.host.name.daytime > host.name.deleted.1073: P 1:27(26) ack 1 win 5792 <nop,nop,timestamp 138541012 51097217> (DF)
14:16:23.448150 host.name.deleted.1073 > other.host.name.daytime: R 2950063923:2950063923(0) win 0 (DF)
14:16:23.448150 other.host.name.daytime > host.name.deleted.1073: F 27:27(0) ack 1 win 5792 <nop,nop,timestamp 138541012 51097217> (DF)
14:16:23.448150 host.name.deleted.1073 > other.host.name.daytime: R 2950063923:2950063923(0) win 0 (DF)
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
- Previous message: Kurt Seifried: "Re: [Dailydave] RE: Network Exploitation Tools aka Exploitation Engines"
- Next in thread: Martin Wasson: "Re: Help understanding a trace of an nmap scan"
- Maybe reply: Martin Wasson: "Re: Help understanding a trace of an nmap scan"
- Reply: Omar Herrera: "RE: Help understanding a trace of an nmap scan"
- Reply: Jose Maria Lopez: "Re: Help understanding a trace of an nmap scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
