|
Nmap Development
mailing list archives
NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?
From: Sébastien CONTRERAS <contrera () EIG UNIGE CH>
Date: Fri, 07 Jan 2005 10:04:51 +0100
Hi
When scanning machine B (IP=192.168.254.10, no firewall on this machine and no application listening on port 136) with
NMAP (NMAP on machine A), NMAP gives me two different output depending on the options (-sS or -sT).
1/ When the command line is : nmap.exe -sS -p 135-136 -P0 192.168.254.10
The output is :
Port State Service
135/tcp open msrpc
136/tcp closed profile
I made a dump of packet generated by NMAP with Ethereal
No Source Destination Protocol Info
1 192.168.254.2 192.168.254.10 TCP 3501 > 135 [SYN]
2 192.168.254.10 192.168.254.2 TCP 135 > 3501 [SYN, ACK]
3 192.168.254.2 192.168.254.10 TCP 3501 > 135 [RST]
4 192.168.254.2 192.168.254.10 TCP 3501 > 136 [SYN]
5 192.168.254.10 192.168.254.2 TCP 136 > 3501 [RST, ACK]
2/ When the command line is : nmap.exe -sT -p 135-136 -P0 192.168.254.10
The output is :
Port State Service
135/tcp open msrpc
136/tcp filtered profile
I made a dump of packet generated by NMAP with Ethereal
No Source Destination Protocol Info
1 192.168.254.2 192.168.254.10 TCP 4101 > 136 [SYN]
2 192.168.254.10 192.168.254.2 TCP 136 > 4101 [RST, ACK]
3 192.168.254.2 192.168.254.10 TCP 4102 > 135 [SYN]
4 192.168.254.10 192.168.254.2 TCP 135 > 4102 [SYN, ACK]
5 192.168.254.2 192.168.254.10 TCP 4102 > 135 [ACK]
6 192.168.254.2 192.168.254.10 TCP 4102 > 135 [RST, ACK]
7 192.168.254.2 192.168.254.10 TCP 4103 > 136 [SYN]
8 192.168.254.10 192.168.254.2 TCP 136 > 4103 [RST, ACK]
If we look at packets corresponding to port 136, the packet sequence is always (independently I use the -sS or -sT
options) :
A > B [SYN]
B < A [RST, ACK]
So my question is :
Why NMAP say that port 136 is closed in case 1/, and filtered in case 2/ whereas the packet generated are the same ?
Is this a bug ? or do I forget something ?
Thanks for your responses..
SC
 By Date 
By Thread
Current thread:
|
Intro
