Home page logo

nmap-dev logo Nmap Development mailing list archives

Idle Scanning behind stateful firewalls
From: "Glyn Geoghegan" <nmap () moiler com>
Date: Fri, 26 Mar 2004 20:22:53 +1000

Hi all,

I have a problem with nmap's Idle Scanning.

The probes nmap sends to the Zombie are SYN/ACKs, which afaik is a flexible
decision as the IPIDs increment the same regardless of whether a SYN or
SYN/ACK is sent.

But, because nmap uses a SYN/ACK, its probes get dropped by any stateful
devices (coz they aren't part of an active connection), preventing their use
as zombies.

This prevents use of using a web server (e.g. as a zombie to
port-scan the rest of its network (e.g. behind the firewall.

I'm guessing it sends a SYN/ACK for performance reasons, as that will
solicit a RST rather than a SYN/ACK that must be RST by nmap.

Is there a way to change this?  Have I missed an option somewhere?  Or am I
talking gibberish?

Glyn Geoghegan.

For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]