NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?

• Previous message: Bruno Guedes Souto: "Re: WinXP Login Logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 7 Jan 2005 09:39:43 -0000
To: security-basics@securityfocus.com

Hi
 
When scanning machine B (IP=192.168.254.10, no firewall on this machine and no application listening on port 136) with NMAP (NMAP on machine A), NMAP gives me two different output depending on the options (-sS or -sT).
 

1/ When the command line is : nmap.exe -sS -p 135-136 -P0 192.168.254.10
 
The output is :
Port State Service
135/tcp open msrpc
136/tcp closed profile
 
I made a dump of packet generated by NMAP with Ethereal
No Source Destination Protocol Info
1 192.168.254.2 192.168.254.10 TCP 3501 > 135 [SYN]
2 192.168.254.10 192.168.254.2 TCP 135 > 3501 [SYN, ACK]
3 192.168.254.2 192.168.254.10 TCP 3501 > 135 [RST]
4 192.168.254.2 192.168.254.10 TCP 3501 > 136 [SYN]
5 192.168.254.10 192.168.254.2 TCP 136 > 3501 [RST, ACK]
 

2/ When the command line is : nmap.exe -sT -p 135-136 -P0 192.168.254.10
 
The output is :
Port State Service
135/tcp open msrpc
136/tcp filtered profile
 
I made a dump of packet generated by NMAP with Ethereal
No Source Destination Protocol Info
1 192.168.254.2 192.168.254.10 TCP 4101 > 136 [SYN]
2 192.168.254.10 192.168.254.2 TCP 136 > 4101 [RST, ACK]
3 192.168.254.2 192.168.254.10 TCP 4102 > 135 [SYN]
4 192.168.254.10 192.168.254.2 TCP 135 > 4102 [SYN, ACK]
5 192.168.254.2 192.168.254.10 TCP 4102 > 135 [ACK]
6 192.168.254.2 192.168.254.10 TCP 4102 > 135 [RST, ACK]
7 192.168.254.2 192.168.254.10 TCP 4103 > 136 [SYN]
8 192.168.254.10 192.168.254.2 TCP 136 > 4103 [RST, ACK]
 
If we look at packets corresponding to port 136, the packet sequence is always (independently I use the -sS or -sT options) :
 A > B [SYN]
 B < A [RST, ACK]
 
So my question is :
Why NMAP say that port 136 is closed in case 1/, and filtered in case 2/ whereas the packet generated are the same ?
Is this a bug ? or do I forget something ?
 
Thanks for your responses..
 
SC
 
  

• Previous message: Bruno Guedes Souto: "Re: WinXP Login Logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? ... 136/tcp closed profile ... I made a dump of packet generated by NMAP with Ethereal ... (Focus-Linux) Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options ... nmap send one packet with SYN flags, if receive SYN/ACK open else, if ... >136/tcp closed profile ... (Focus-Linux) RE: Help understanding a trace of an nmap scan ... it will send a ping to confirm the host is up before performing the scan) ... -- (Ack packet to port 80 and corresponding rst; ... is not related to any existing connection, so this is the expected behavior) ... It seems that this connection closing algorithm is generic, son nmap ... (Pen-Test) Fw: Nmap 4.00 Released! (ARP scanning) ... I am pleased to announce that Nmap 4.00 is now available! ... It is now used automatically for any hosts that are ... the UDP probes will have their status changed to open. ... 'd' to increase the debugging level, 'p' to enable packet tracing, ... (Security-Basics) Re: Suspected nmap listing - am I under attack? ... Read the documentation of nmap, it is very ... packet was sent by nmap but nothing came back. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ... (Security-Basics)