Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

RE: SF, SFP scans?
From: joe.pepin () guardent com
Date: Wed, 30 Oct 2002 14:11:52 -0500
Thanks!

While the -sF works better against Linux, -sS works better (quicker) against
Windows (and therefor probably BSD as well ;)

Windows will happily send a SYNACK to an 0xEB.

/joe
.



 -----Original Message-----
 From: Fyodor [mailto:fyodor () insecure org]
 Sent: Wednesday, October 30, 2002 1:16 PM
 To: Joe Pepin
 Cc: nmap-dev () insecure org
 Subject: Re: SF, SFP scans?
 
 
 On Wed, Oct 30, 2002 at 12:27:11PM -0500, 
 joe.pepin () guardent com wrote:
 
 > I would like to modify nmap such that I can do a modified 
 SYN scan where I
 > have the FIN or PUSH (or even URG, RST, X and Y) bits set. 
  Stacks all over
 > the place are accepting packets like SFPUXY to start 
 sessions, and I want to
 > see if any firewalls which pretend to be stateful will 
 allow these through.
 > 
 > I was able to kind-of do this the cheap, cheap, dirty way 
 by modifying
 > netinet/tcp.h, but that's obviously ugly for lots of reasons and I
 > was
 
 Dear lord, that is ugly :).  But I agree that specifying arbitrary
 flag values can be useful.  It may not be documented, but recent
 versions of Nmap have a 'scanflags' options for doing this.  For
 example, you can do a SYN|FIN scan as follows:
 
 felix/home/fyodor#nmap -sS --scanflags SINFIN -p20-25 db
 
 Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
 Interesting ports on db.yuma.net (192.168.0.4):
 (The 5 ports scanned but not shown below are in state: closed)
 Port       State       Service
 22/tcp     filtered    ssh                     
 
 Nmap run completed -- 1 IP address (1 host up) scanned in 
 2.288 seconds
 
 Only the "normal" flag names are supported, but you can provide a
 numerical argument to get at "X" and "Y".
 
 The way Linux reacts to SYN|FIN packets, it is really more of a FIN
 scan.  So better results come from treating it that way:
 
 felix/home/fyodor#nmap -sF --scanflags SINFIN -p20-25 db
 
 Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
 Interesting ports on db.yuma.net (192.168.0.4):
 (The 5 ports scanned but not shown below are in state: closed)
 Port       State       Service
 22/tcp     open        ssh                     
 
 Nmap run completed -- 1 IP address (1 host up) scanned in 
 1.594 seconds
 
 Cheers,
 Fyodor
 


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]