Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

Re: SF, SFP scans?
From: Fyodor <fyodor () insecure org>
Date: Wed, 30 Oct 2002 10:15:33 -0800
On Wed, Oct 30, 2002 at 12:27:11PM -0500, joe.pepin () guardent com wrote:


I would like to modify nmap such that I can do a modified SYN scan where I
have the FIN or PUSH (or even URG, RST, X and Y) bits set.  Stacks all over
the place are accepting packets like SFPUXY to start sessions, and I want to
see if any firewalls which pretend to be stateful will allow these through.

I was able to kind-of do this the cheap, cheap, dirty way by modifying
netinet/tcp.h, but that's obviously ugly for lots of reasons and I
was


Dear lord, that is ugly :).  But I agree that specifying arbitrary
flag values can be useful.  It may not be documented, but recent
versions of Nmap have a 'scanflags' options for doing this.  For
example, you can do a SYN|FIN scan as follows:

felix/home/fyodor#nmap -sS --scanflags SINFIN -p20-25 db

Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
Interesting ports on db.yuma.net (192.168.0.4):
(The 5 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     filtered    ssh                     

Nmap run completed -- 1 IP address (1 host up) scanned in 2.288 seconds

Only the "normal" flag names are supported, but you can provide a
numerical argument to get at "X" and "Y".

The way Linux reacts to SYN|FIN packets, it is really more of a FIN
scan.  So better results come from treating it that way:

felix/home/fyodor#nmap -sF --scanflags SINFIN -p20-25 db

Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
Interesting ports on db.yuma.net (192.168.0.4):
(The 5 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     

Nmap run completed -- 1 IP address (1 host up) scanned in 1.594 seconds

Cheers,
Fyodor

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]