Re: nmap inconsistent results - via intermedite router?



On 27 Feb 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1141091632.524233.281110@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, ads wrote:

Thanks for persisting.

Actually, it's not that hard

SSH-ing into the remote machine (on the internet), I setup
this...(where source=home machine's internet ip, and dest=remote
machine's ip)

01:46:55.095342 IP source.2226 > dest.5190: S 4260908126:4260908126(0)
win 5808 <mss 1452,sackOK,timestamp 17554350 0,nop,wscale 0>

"Hello, I'd like to talk"

01:46:55.095396 IP dest.5190 > source.2226: R 0:0(0) ack 4260908127 win
0

"<Hello???> Go away Kid, ya bother me"

In the first packet, the 'S' flag is the SYN of the contact initiation.
The rest of the stuff is not important, because of packet two. In that
packet, the "R" flag is the connection RST flag (nobody home) and the
"win" on the end shuts the window to zero size "don't send any more
packets". This is not open. Some people call the combination of the
"R" flag and "win 0" the "FOAD" packet, and that's pretty close to the
explicit meaning. In the second packet, "remote" kernel looked around,
and found there was no application interested in receiving the packet.
The kernel (actually the networking stack code) then responds with this
message telling the connecting system that there is nothing to connect
to, and further conversation is impossible.

On my local machine (behind the netgear router) I did this...
mirror:~# telnet dest 5190
Trying dest...

"Connect to that host on that port? Yeah, I can try that. Hang on..."

Connected to dest.
Escape character is '^]'.

"OK, I figured out how - let's see what they have to say"

Connection closed by foreign host.

"The other end hung up the phone."

I guess this is good - but not sure about the result. I do not have a
firewall on the remote machine.

That's correct - no firewall, but also no server listening. The result is
the same - no connection = nothing to exploit.

OK, let's repeat this, but run tcpdump on the "local" machine. Look at
the source of the second packet - is it the remote? If so, then whatever
it was that said that this port is open is lying (or at least confusseled).

Old guy
.



Relevant Pages

  • Re: syncache_timer: errors; What do they mean?
    ... the very first packet sent to establish a TCP connection is known ... as the 'SYN' packet -- that's because it has the Syn bit set in the ... back to the remote machine (Yes: you guessed it: this has both the Syn ...
    (freebsd-questions)
  • Re: User Disconnect Issues
    ... Maximum Time to Wait For Remote Response ... Maximum Retransmissions per Packet ... initial connection setup SYN/SYN-ACK/ACK. ... the "Maximum Time to Wait For Remote Response" of 180 seconds. ...
    (comp.sys.hp.mpe)
  • Retransmitted packets ignored?
    ... monitoring appliaction I have (basically, it just checks if remote IMAP ... FIN flag on this packet, ...
    (Linux-Kernel)
  • [TOOL] RING, An Opensource OS Fingerprinting Tool
    ... RING is a new remote operating system fingerprinting tool based on ... Carefully studying the way TCP works, ... based on temporal response analysis. ... SYN packet to an open port on a remote system, ...
    (Securiteam)
  • Re: Can I run an Internet web server from a Win2K computer?
    ... internet and then back in on your static IP address. ... but the remote IP is usable only remotely. ... So if the packet sets off from your PC it either a) goes straight to the destination machine, or b) goes to the default gateway if the address is NOT a local one. ...
    (microsoft.public.win2000.general)