NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?

From: S C (contrera_at_eig.unige.ch)
Date: 01/07/05

  • Next message: Ivan Coric: "Re: Wireless Security Testing Guidelines"
    Date: 7 Jan 2005 09:39:43 -0000
    To: security-basics@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Hi
     
    When scanning machine B (IP=192.168.254.10, no firewall on this machine and no application listening on port 136) with NMAP (NMAP on machine A), NMAP gives me two different output depending on the options (-sS or -sT).
     

    1/ When the command line is : nmap.exe -sS -p 135-136 -P0 192.168.254.10
     
    The output is :
    Port State Service
    135/tcp open msrpc
    136/tcp closed profile
     
    I made a dump of packet generated by NMAP with Ethereal
    No Source Destination Protocol Info
    1 192.168.254.2 192.168.254.10 TCP 3501 > 135 [SYN]
    2 192.168.254.10 192.168.254.2 TCP 135 > 3501 [SYN, ACK]
    3 192.168.254.2 192.168.254.10 TCP 3501 > 135 [RST]
    4 192.168.254.2 192.168.254.10 TCP 3501 > 136 [SYN]
    5 192.168.254.10 192.168.254.2 TCP 136 > 3501 [RST, ACK]
     

    2/ When the command line is : nmap.exe -sT -p 135-136 -P0 192.168.254.10
     
    The output is :
    Port State Service
    135/tcp open msrpc
    136/tcp filtered profile
     
    I made a dump of packet generated by NMAP with Ethereal
    No Source Destination Protocol Info
    1 192.168.254.2 192.168.254.10 TCP 4101 > 136 [SYN]
    2 192.168.254.10 192.168.254.2 TCP 136 > 4101 [RST, ACK]
    3 192.168.254.2 192.168.254.10 TCP 4102 > 135 [SYN]
    4 192.168.254.10 192.168.254.2 TCP 135 > 4102 [SYN, ACK]
    5 192.168.254.2 192.168.254.10 TCP 4102 > 135 [ACK]
    6 192.168.254.2 192.168.254.10 TCP 4102 > 135 [RST, ACK]
    7 192.168.254.2 192.168.254.10 TCP 4103 > 136 [SYN]
    8 192.168.254.10 192.168.254.2 TCP 136 > 4103 [RST, ACK]
     
    If we look at packets corresponding to port 136, the packet sequence is always (independently I use the -sS or -sT options) :
     A > B [SYN]
     B < A [RST, ACK]
     
    So my question is :
    Why NMAP say that port 136 is closed in case 1/, and filtered in case 2/ whereas the packet generated are the same ?
    Is this a bug ? or do I forget something ?
     
    Thanks for your responses..
     
    SC
     
      


  • Next message: Ivan Coric: "Re: Wireless Security Testing Guidelines"