Nmap Development: Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Nmap Development mailing list archives

Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?

From: Adam Jacob Muller <adam () gotlinux us>
Date: Fri, 7 Jan 2005 06:07:14 -0500

That's a side affect of the fact that -sS is a syn half-open scan

So it basically can't tell the difference between a filtered and aclosed port.I won't pretend to know more than that, since I'm sure someone on thislist knows exactly why this happens the way it does and can fill you inif you want to know..Suffice it to say, this is the expected behavior and conforms to TCPnorms.


Adam


On Jan 7, 2005, at 4:04 AM, Sébastien CONTRERAS wrote:

Hi
When scanning machine B (IP=192.168.254.10, no firewall on thismachine and no application listening on port 136) with NMAP (NMAP onmachine A), NMAP gives me two different output depending on theoptions (-sS or -sT).
1/ When the command line is : nmap.exe -sS -p 135-136 -P0192.168.254.10
The output is :
Port          State      Service
135/tcp      open      msrpc
136/tcp      closed    profile

I made a dump of packet generated by NMAP with Ethereal
No Source Destination ProtocolInfo1 192.168.254.2 192.168.254.10 TCP3501 > 135 [SYN]2 192.168.254.10 192.168.254.2 TCP135 > 3501 [SYN, ACK]3 192.168.254.2 192.168.254.10 TCP3501 > 135 [RST]4 192.168.254.2 192.168.254.10 TCP3501 > 136 [SYN]5 192.168.254.10 192.168.254.2 TCP136 > 3501 [RST, ACK]
2/ When the command line is : nmap.exe -sT -p 135-136 -P0192.168.254.10
The output is :
Port           State      Service
135/tcp      open       msrpc
136/tcp      filtered     profile

I made a dump of packet generated by NMAP with Ethereal
No     Source               Destination             Protocol     Info
1 192.168.254.2 192.168.254.10 TCP 4101 > 136[SYN]2 192.168.254.10 192.168.254.2 TCP 136 >4101 [RST, ACK]3 192.168.254.2 192.168.254.10 TCP 4102 > 135[SYN]4 192.168.254.10 192.168.254.2 TCP 135 >4102 [SYN, ACK]5 192.168.254.2 192.168.254.10 TCP 4102 > 135[ACK]6 192.168.254.2 192.168.254.10 TCP 4102 > 135[RST, ACK]7 192.168.254.2 192.168.254.10 TCP 4103 > 136[SYN]8 192.168.254.10 192.168.254.2 TCP 136 >4103 [RST, ACK]
If we look at packets corresponding to port 136, the packet sequenceis always (independently I use the -sS or -sT options) :
 A > B [SYN]
 B < A [RST, ACK]

So my question is :
Why NMAP say that port 136 is closed in case 1/, and filtered in case2/ whereas the packet generated are the same ?
Is this a bug ? or do I forget something ?

Thanks for your responses..

SC




!DSPAM:41de50c716461870385720!



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org

By Date By Thread

Current thread:

NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Sébastien CONTRERAS (Jan 07)
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Adam Jacob Muller (Jan 07)
  - Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Martin Mačok (Jan 07)
    - Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Richard Moore (Jan 07)
    - Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Martin Mačok (Jan 07)
- Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Martin Mačok (Jan 07)
  - Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? Sébastien CONTRERAS (Jan 07)