On Wed, Oct 30, 2002 at 12:27:11PM -0500, joe.pepin_at_guardent.com wrote:
> I would like to modify nmap such that I can do a modified SYN scan where I
> have the FIN or PUSH (or even URG, RST, X and Y) bits set. Stacks all over
> the place are accepting packets like SFPUXY to start sessions, and I want to
> see if any firewalls which pretend to be stateful will allow these through.
>
> I was able to kind-of do this the cheap, cheap, dirty way by modifying
> netinet/tcp.h, but that's obviously ugly for lots of reasons and I
> was
Dear lord, that is ugly :). But I agree that specifying arbitrary
flag values can be useful. It may not be documented, but recent
versions of Nmap have a 'scanflags' options for doing this. For
example, you can do a SYN|FIN scan as follows:
felix/home/fyodor#nmap -sS --scanflags SINFIN -p20-25 db
Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
Interesting ports on db.yuma.net (192.168.0.4):
(The 5 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp filtered ssh
Nmap run completed -- 1 IP address (1 host up) scanned in 2.288 seconds
Only the "normal" flag names are supported, but you can provide a
numerical argument to get at "X" and "Y".
The way Linux reacts to SYN|FIN packets, it is really more of a FIN
scan. So better results come from treating it that way:
felix/home/fyodor#nmap -sF --scanflags SINFIN -p20-25 db
Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
Interesting ports on db.yuma.net (192.168.0.4):
(The 5 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
Nmap run completed -- 1 IP address (1 host up) scanned in 1.594 seconds
Cheers,
Fyodor
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Oct 30 2002
Intro
