Hello, everyone.
I am new to this list. I use nmap almost every day, but just recently
started looking at the code and I had a (hopefully quick) question.
I would like to modify nmap such that I can do a modified SYN scan where I
have the FIN or PUSH (or even URG, RST, X and Y) bits set. Stacks all over
the place are accepting packets like SFPUXY to start sessions, and I want to
see if any firewalls which pretend to be stateful will allow these through.
I was able to kind-of do this the cheap, cheap, dirty way by modifying
netinet/tcp.h, but that's obviously ugly for lots of reasons and I was
wondering if anyone already has such a patch, or if it's been discussed
before, and where in the code I should start to look if nobody has already
done it.
Ideally, there would be a set of options like hping such that one could
simply specify the bits to be set.
(BTW changing TH_SYN in tcp.h does let me easily generate SF, or SFP, or
SFPU packets easily, but of course, due to changing the definition of a SYN,
nmap doesn't seem to be parsing the return packets correctly in all cases,
but for a simple change of TH_SYN to 0x03 (SF) it works pretty well, open
just shows up as filtered. It's pretty cool just to run it and watch
tcpdump for details).
Thanks in advance.
/joe
--------------------
Joe Pepin
SOC Engineer
Guardent Inc.
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Oct 30 2002
Intro
