Home page logo

nmap-dev logo Nmap Development mailing list archives

SF, SFP scans?
From: joe.pepin () guardent com
Date: Wed, 30 Oct 2002 12:27:11 -0500

Hello, everyone.

I am new to this list.  I use nmap almost every day, but just recently
started looking at the code and I had a (hopefully quick) question.

I would like to modify nmap such that I can do a modified SYN scan where I
have the FIN or PUSH (or even URG, RST, X and Y) bits set.  Stacks all over
the place are accepting packets like SFPUXY to start sessions, and I want to
see if any firewalls which pretend to be stateful will allow these through.

I was able to kind-of do this the cheap, cheap, dirty way by modifying
netinet/tcp.h, but that's obviously ugly for lots of reasons and I was
wondering if anyone already has such a patch, or if it's been discussed
before, and where in the code I should start to look if nobody has already
done it.

Ideally, there would be a set of options like hping such that one could
simply specify the bits to be set.

(BTW changing TH_SYN in tcp.h does let me easily generate SF, or SFP, or
SFPU packets easily, but of course, due to changing the definition of a SYN,
nmap doesn't seem to be parsing the return packets correctly in all cases,
but for a simple change of TH_SYN to 0x03 (SF) it works pretty well, open
just shows up as filtered.  It's pretty cool just to run it and watch
tcpdump for details).

Thanks in advance.

Joe Pepin
SOC Engineer
Guardent Inc. 

For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]