Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: RE: SF, SFP scans?

RE: SF, SFP scans?

From: <joe.pepin_at_guardent.com>
Date: Wed, 30 Oct 2002 14:11:52 -0500

Thanks!

While the -sF works better against Linux, -sS works better (quicker) against
Windows (and therefor probably BSD as well ;)

Windows will happily send a SYNACK to an 0xEB.

/joe
.

> -----Original Message-----
> From: Fyodor [mailto:fyodor_at_insecure.org]
> Sent: Wednesday, October 30, 2002 1:16 PM
> To: Joe Pepin
> Cc: nmap-dev_at_insecure.org
> Subject: Re: SF, SFP scans?
>
>
> On Wed, Oct 30, 2002 at 12:27:11PM -0500,
> joe.pepin_at_guardent.com wrote:
>
> > I would like to modify nmap such that I can do a modified
> SYN scan where I
> > have the FIN or PUSH (or even URG, RST, X and Y) bits set.
> Stacks all over
> > the place are accepting packets like SFPUXY to start
> sessions, and I want to
> > see if any firewalls which pretend to be stateful will
> allow these through.
> >
> > I was able to kind-of do this the cheap, cheap, dirty way
> by modifying
> > netinet/tcp.h, but that's obviously ugly for lots of reasons and I
> > was
>
> Dear lord, that is ugly :). But I agree that specifying arbitrary
> flag values can be useful. It may not be documented, but recent
> versions of Nmap have a 'scanflags' options for doing this. For
> example, you can do a SYN|FIN scan as follows:
>
> felix/home/fyodor#nmap -sS --scanflags SINFIN -p20-25 db
>
> Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
> Interesting ports on db.yuma.net (192.168.0.4):
> (The 5 ports scanned but not shown below are in state: closed)
> Port State Service
> 22/tcp filtered ssh
>
> Nmap run completed -- 1 IP address (1 host up) scanned in
> 2.288 seconds
>
> Only the "normal" flag names are supported, but you can provide a
> numerical argument to get at "X" and "Y".
>
> The way Linux reacts to SYN|FIN packets, it is really more of a FIN
> scan. So better results come from treating it that way:
>
> felix/home/fyodor#nmap -sF --scanflags SINFIN -p20-25 db
>
> Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
> Interesting ports on db.yuma.net (192.168.0.4):
> (The 5 ports scanned but not shown below are in state: closed)
> Port State Service
> 22/tcp open ssh
>
> Nmap run completed -- 1 IP address (1 host up) scanned in
> 1.594 seconds
>
> Cheers,
> Fyodor
>

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Oct 30 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]