Home page logo

Nmap Announce mailing list archives

More on ACK and Window scanning
From: Fyodor <fyodor () insecure org>
Date: Sun, 26 Mar 2000 15:42:31 -0800 (PST)

For what it is worth, here is a little more information on the ACK and
Window scanning available in the new version of Nmap (technically Window
scan has been there since September when Lamont posted the patch to the
list).  These scan types can actually be pretty useful for testing
firewall configurations.

Here are more details (from the newest man page):

       -sA    ACK  scan:  This advanced method is usually used to
              map out firewall rulesets.  In particular,  it  can
              help  determine  whether  a firewall is stateful or
              just a simple packet filter  that  blocks  incoming
              SYN packets.

              This  scan  type  sends  an ACK packet (with random
              looking acknowledgement/sequence  numbers)  to  the
              ports specified.  If a RST comes back, the ports is
              classified as "unfiltered".  If nothing comes  back
              (or  if  an ICMP unreachable is returned), the port
              is classified as "filtered".  Note that  nmap  usu-
              ally  doesn't  print "unfiltered" ports, so getting
              no ports shown in the output is usually a sign that
              all  the  probes  got  through (and returned RSTs).
              This scan will obviously never show  ports  in  the
              "open" state.

       -sW    Window  scan: This advanced scan is very similar to
              the ACK scan, except that it can  sometimes  detect
              open  ports  as well as filtered/nonfiltered due to
              an anomaly in the TCP window size reporting by some
              operating  systems.   Systems  vulnerable  to  this
              include at least some versions of AIX, Amiga, BeOS,
              BSDI,  Cray,  Tru64  UNIX,  DG/UX, OpenVMS, Digital
              UNIX, FreeBSD, HP-UX, OS/2,  IRIX,  MacOS,  NetBSD,
              OpenBSD,   OpenStep,   QNX,  Rhapsody,  SunOS  4.X,
              Ultrix, VAX, and  VxWorks.   See  the  nmap-hackers
              mailing list archive for a full list.


  By Date           By Thread  

Current thread:
  • More on ACK and Window scanning Fyodor (Mar 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]